Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpshuffle Subscribe to Download subscribe-to-download allows PHP Local File Inclusion.This issue affects Subscribe to Download: from n/a through <= 2.0.9.
Published: 2025-09-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Subscribe to Download WordPress plugin is caused by improper control of the filename used in a PHP include/require statement, allowing an attacker to supply a crafted input that results in an arbitrary local file being included. This can expose sensitive server files and potentially enable the execution of malicious PHP code, compromising confidentiality and system integrity.

Affected Systems

The issue affects the wpshuffle Subscribe to Download plugin for WordPress. Versions from the initial launch through and including 2.0.9 are vulnerable, so any WordPress site with this plugin installed at those versions is at risk.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity, while the EPSS score of <1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a crafted request that passes a malicious filename to the plugin, allowing local file inclusion. No public exploit is documented so the risk remains largely theoretical, but the potential impact warrants timely remediation.

Generated by OpenCVE AI on April 29, 2026 at 23:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Subscribe to Download plugin to version 2.1.0 or later when the vendor releases a fix.
  • If an upgrade is not immediately possible, disable the plugin or remove it from the site.
  • Implement access controls or input validation that rejects arbitrary filenames in plugin include paths, mitigating the LFI flaw until a patch is applied.

Generated by OpenCVE AI on April 29, 2026 at 23:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31254 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpshuffle Subscribe to Download allows PHP Local File Inclusion. This issue affects Subscribe to Download: from n/a through 2.0.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpshuffle Subscribe to Download allows PHP Local File Inclusion. This issue affects Subscribe to Download: from n/a through 2.0.9. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpshuffle Subscribe to Download subscribe-to-download allows PHP Local File Inclusion.This issue affects Subscribe to Download: from n/a through <= 2.0.9.
Title WordPress Subscribe to Download Plugin <= 2.0.9 - Local File Inclusion Vulnerability WordPress Subscribe to Download plugin <= 2.0.9 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 29 Sep 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 26 Sep 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Sep 2025 08:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpshuffle Subscribe to Download allows PHP Local File Inclusion. This issue affects Subscribe to Download: from n/a through 2.0.9.
Title WordPress Subscribe to Download Plugin <= 2.0.9 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:55.824Z

Reserved: 2025-09-25T15:28:03.106Z

Link: CVE-2025-60150

cve-icon Vulnrichment

Updated: 2025-09-26T13:06:56.313Z

cve-icon NVD

Status : Deferred

Published: 2025-09-26T09:15:43.567

Modified: 2026-04-23T15:34:18.920

Link: CVE-2025-60150

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:00:14Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')