Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Unlock Lite subscribe-to-unlock-lite allows PHP Local File Inclusion.This issue affects Subscribe to Unlock Lite: from n/a through <= 1.3.0.
Published: 2025-12-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of filename for include/require statements, which allows a local file inclusion (LFI) in the Subscribe to Unlock Lite plugin. If an attacker can supply a crafted path, they may be able to read sensitive files or trigger the inclusion of a malicious file, potentially leading to disclosure of confidential data. The flaw is rooted in a classic PHP include/require weakness (CWE‑98).

Affected Systems

WP Shuffle maintains the Subscribe to Unlock Lite plugin, and every instance of the plugin with a version from n/a through 1.3.0 is affected. This includes all WordPress sites that have installed the plugin in any of those versions.

Risk and Exploitability

The CVSS score of 7.5 indicates substantial impact and high complexity, while the EPSS score of less than 1% suggests the probability of exploitation is currently low. The vulnerability is not listed in CISA’s KEV catalog. The likely attack path involves an attacker identifying a vulnerable include parameter, crafting a path that traverses to a local file, and then attempting to execute or read that file. Because the flaw is a local file inclusion, it generally requires access to the web application context, but if the plugin accepts external input, an attacker may be able to abuse it remotely.

Generated by OpenCVE AI on April 29, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Subscribe to Unlock Lite to the latest released version, which removes the vulnerable filename handling logic.
  • If upgrading immediately is not possible, disable or remove the plugin or the specific functionality that allows arbitrary includes from the codebase or configuration.
  • Implement a web application firewall rule that blocks requests containing suspicious parameters that may target include statements, such as those containing directory traversal sequences or file extensions that may trigger PHP includes.

Generated by OpenCVE AI on April 29, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 29 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 24 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Dec 2025 12:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Unlock Lite subscribe-to-unlock-lite allows PHP Local File Inclusion.This issue affects Subscribe to Unlock Lite: from n/a through <= 1.3.0.
Title WordPress Subscribe to Unlock Lite plugin <= 1.3.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:30.339Z

Reserved: 2025-12-19T10:17:23.837Z

Link: CVE-2025-68563

cve-icon Vulnrichment

Updated: 2025-12-24T19:05:35.137Z

cve-icon NVD

Status : Deferred

Published: 2025-12-24T13:16:23.223

Modified: 2026-04-27T19:16:30.747

Link: CVE-2025-68563

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T18:45:17Z

Weaknesses