Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AndonDesign UDesign Core u-design-core allows PHP Local File Inclusion.This issue affects UDesign Core: from n/a through <= 4.14.0.
Published: 2025-12-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of filename for include/require statements in the UDesign Core plugin allows an attacker to force the inclusion of arbitrary local files through crafted input. The vulnerability, categorized as CWE–98, can lead to the disclosure of sensitive files or execution of arbitrary PHP code if the included file contains malicious content. In the worst case, successful exploitation could provide a full compromise of the web application server.

Affected Systems

The security issue affects AndonDesign UDesign Core from the earliest available release through version 4.14.0. All installations of the plugin at or below this version are vulnerable.

Risk and Exploitability

The CVSS score of 7.5 classifies the vulnerability as high severity, and the EPSS score of less than 1 % indicates it is currently unlikely to be actively exploited. The exploit would likely require sending a specially crafted HTTP request to the plugin’s file inclusion endpoint, potentially exploiting authenticated or unauthenticated access depending on how the plugin validates input. Because the vulnerability is not listed in the CISA KEV catalog, no known widespread exploitation has been documented as of the latest assessment.

Generated by OpenCVE AI on April 29, 2026 at 19:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade UDesign Core to the latest version (4.14.1 or later) to remove the vulnerable include logic.
  • If an upgrade is not immediately possible, deactivate or uninstall the UDesign Core plugin to eliminate the attack surface.
  • Apply a web application firewall rule that blocks attempts to supply file paths containing directory traversal patterns to endpoints of the plugin.
  • Monitor server logs for attempts to include non‑existent files or repeated directory traversal attempts and investigate any anomalies.

Generated by OpenCVE AI on April 29, 2026 at 19:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 15:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AndonDesign UDesign Core u-design-core allows PHP Local File Inclusion.This issue affects UDesign Core: from n/a through <= 4.14.0.
Title WordPress UDesign Core plugin <= 4.14.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:09.720Z

Reserved: 2025-10-24T14:26:38.886Z

Link: CVE-2025-63062

cve-icon Vulnrichment

Updated: 2025-12-09T16:40:09.223Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:11.770

Modified: 2026-04-27T19:16:20.363

Link: CVE-2025-63062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:15:18Z

Weaknesses