Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Majestic Support Majestic Support majestic-support allows PHP Local File Inclusion.This issue affects Majestic Support: from n/a through <= 1.0.7.
Published: 2025-10-29
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper control of the filename used in a PHP include/require statement allows a local file inclusion vulnerability. Based on the description, it is inferred that an attacker could read or execute arbitrary files that should be inaccessible, potentially disclosing sensitive data or enabling execution of arbitrary PHP code. The flaw is classified as CWE‑98.

Affected Systems

All installations of the Majestic Support WordPress plugin with versions up to and including 1.0.7 are affected. The vulnerability is present in every build from the plugin’s initial release through 1.0.7; no later versions are listed as vulnerable, so unpatched instances remain exposed.

Risk and Exploitability

The CVSS score of 7.5 indicates a medium‑to‑high severity. Based on the description, it is inferred that the flaw could allow remote code execution if a malicious PHP file is included. The EPSS score of less than 1 % suggests that exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a crafted HTTP request to the plugin that triggers the vulnerable include/require call, as inferred from the nature of the flaw.

Generated by OpenCVE AI on April 29, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Majestic Support plugin to a version that removes the vulnerable include logic (e.g., 1.0.8 or later).
  • If an upgrade is not immediately possible, restrict file access by removing write and read permissions for the plugin’s include directory and ensuring that the plugin cannot traverse outside the intended directory.
  • Apply input validation so that any user‑supplied filename is strictly matched against a whitelist of allowed files or paths; alternatively, temporarily disable the file‑inclusion functionality until a patch is available.

Generated by OpenCVE AI on April 29, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Majestic Support Majestic Support majestic-support allows PHP Local File Inclusion.This issue affects Majestic Support: from n/a through <= 1.1.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Majestic Support Majestic Support majestic-support allows PHP Local File Inclusion.This issue affects Majestic Support: from n/a through <= 1.0.7.
Title WordPress Majestic Support plugin <= 1.1.1 - Local File Inclusion vulnerability WordPress Majestic Support plugin <= 1.0.7 - Local File Inclusion vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Majesticsupport
Majesticsupport majestic Support
Wordpress
Wordpress wordpress
Vendors & Products Majesticsupport
Majesticsupport majestic Support
Wordpress
Wordpress wordpress

Wed, 29 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Oct 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Majestic Support Majestic Support majestic-support allows PHP Local File Inclusion.This issue affects Majestic Support: from n/a through <= 1.1.1.
Title WordPress Majestic Support plugin <= 1.1.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Majesticsupport Majestic Support
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:29:41.129Z

Reserved: 2025-10-29T03:29:08.849Z

Link: CVE-2025-64284

cve-icon Vulnrichment

Updated: 2025-10-29T14:13:43.230Z

cve-icon NVD

Status : Deferred

Published: 2025-10-29T09:15:45.423

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64284

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:30:15Z

Weaknesses