Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in MatrixAddons Easy Invoice easy-invoice allows PHP Local File Inclusion.This issue affects Easy Invoice: from n/a through <= 2.1.4.
Published: 2025-11-21
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of the filename used in an include/require statement in PHP, allowing local file inclusion. An attacker could supply a crafted path to read arbitrary files from the server, potentially exposing configuration files, keys or other confidential data. If the included file contains executable code, it may enable further compromise of integrity or even local code execution for the web server user.

Affected Systems

WordPress sites that have the Easy Invoice plugin from MatrixAddons installed. All versions from the initial release through 2.1.4 are affected; the vulnerability remains present in any version up to and including 2.1.4.

Risk and Exploitability

The CVSS score of 6.6 indicates a medium severity impact. The EPSS score of less than 1 percent suggests that exploitation is unlikely to be widely observed, and the vulnerability is not currently listed in CISA’s KEV catalog. The likely attack vector involves an unauthenticated user sending a crafted URL or parameter that causes the plugin to include a local file; this inference is based on the LFI description and is not directly stated in the advisories. Successful exploitation would compromise confidentiality and potentially integrity of the affected WordPress installation.

Generated by OpenCVE AI on April 29, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Easy Invoice plugin to version 2.1.5 or later once an official patch is available.
  • Restrict file permissions on the WordPress installation, ensuring that the web server process cannot read sensitive system or configuration files that should remain hidden.
  • Implement a web application firewall rule to block or sanitize requests containing suspicious file path fragments such as '../' or leading dots that could trigger local file inclusion attacks.

Generated by OpenCVE AI on April 29, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 17 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in MatrixAddons Easy Invoice easy-invoice allows PHP Local File Inclusion.This issue affects Easy Invoice: from n/a through <= 2.1.4.
Title WordPress Easy Invoice plugin <= 2.1.4 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:17.199Z

Reserved: 2025-11-21T11:21:26.612Z

Link: CVE-2025-66115

cve-icon Vulnrichment

Updated: 2025-12-17T21:44:09.967Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T13:15:53.440

Modified: 2026-04-27T18:16:36.743

Link: CVE-2025-66115

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:00:18Z

Weaknesses