Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes North - Required Plugin north-plugin allows PHP Local File Inclusion.This issue affects North - Required Plugin: from n/a through <= 1.4.2.
Published: 2025-12-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress North, a plugin from fuelthemes, has an Improper Control of Filename flaw (CWE‑98) that allows an attacker to specify an arbitrary local file for inclusion, potentially exposing sensitive files or allowing execution of PHP code and thereby compromising the site’s confidentiality and integrity.

Affected Systems

The North - Required Plugin from fuelthemes is vulnerable for all released versions up to and including 1.4.2; versions beyond 1.4.2 are not reported as affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS value of less than 1 % suggests the exploit likelihood is low. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a web request that triggers the plugin’s include mechanism, and while the flaw relies on local file paths, an attacker must be able to influence the path or inject a local file; therefore the attack surface is limited to sites that have the vulnerable plugin installed and expose the path parameter to an untrusted user.

Generated by OpenCVE AI on April 29, 2026 at 12:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade North - Required Plugin to the latest available version, which removes the insecure include logic.
  • If an upgrade is not possible, deactivate or uninstall the North - Required Plugin to eliminate the vulnerable code path.
  • Restrict the permissions on the plugin directory and the web root to prevent untrusted users from adding or modifying files that could be included, reducing the opportunity for local file inclusion.

Generated by OpenCVE AI on April 29, 2026 at 12:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes North - Required Plugin north-plugin allows PHP Local File Inclusion.This issue affects North - Required Plugin: from n/a through <= 1.4.2.
Title WordPress North - Required Plugin plugin <= 1.4.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:33:33.582Z

Reserved: 2025-10-24T14:25:26.406Z

Link: CVE-2025-63003

cve-icon Vulnrichment

Updated: 2025-12-10T21:43:53.181Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:05.493

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-63003

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:30:10Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')