Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP Listivo Core listivo-core allows PHP Local File Inclusion.This issue affects Listivo Core: from n/a through <= 2.3.77.
Published: 2026-01-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

This vulnerability is an instance of CWE-98, improper control of the filename used in PHP include/require statements within the TangibleWP Listivo Core plugin. The flaw permits an attacker to trigger a PHP Local File Inclusion (LFI). An LFI can expose arbitrary files stored on the web server, potentially revealing configuration data or other sensitive material.

Affected Systems

The affected product is TangibleWP Listivo Core. All releases with version numbers up to and including 2.3.77 are vulnerable. No specific component is singled out in the advisory.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score is below 1%, showing a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves manipulation of a filename parameter that is passed directly to an include or require call; the attacker may trigger the flaw through crafted URLs or inputs via the plugin interface. While the LFI itself does not provide remote code execution, it can allow sensitive data disclosure, and in environments where arbitrary files can be uploaded or where execution of included files is possible, it could be a stepping stone to further compromise.

Generated by OpenCVE AI on April 28, 2026 at 18:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Listivo Core release newer than 2.3.77, which removes the unsafe include logic.
  • If an upgrade cannot be performed immediately, disable or remove any plugin components that accept user‑supplied file names or construct include paths without validation.
  • Restrict filesystem permissions on the web root and configuration directories, and monitor access logs for attempts to read protected files or invoke the vulnerable include path.

Generated by OpenCVE AI on April 28, 2026 at 18:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 30 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Tangiblewp
Tangiblewp listivo
Wordpress
Wordpress wordpress
Vendors & Products Tangiblewp
Tangiblewp listivo
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP Listivo Core listivo-core allows PHP Local File Inclusion.This issue affects Listivo Core: from n/a through <= 2.3.77.
Title WordPress Listivo Core plugin <= 2.3.77 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Tangiblewp Listivo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:28:56.570Z

Reserved: 2025-12-15T10:00:16.553Z

Link: CVE-2025-67957

cve-icon Vulnrichment

Updated: 2026-01-29T17:16:29.466Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:05.273

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67957

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:15:37Z

Weaknesses