Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in reDim GmbH CookieHint WP cookiehint-wp allows PHP Local File Inclusion.This issue affects CookieHint WP: from n/a through <= 1.0.0.
Published: 2025-12-29
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of the filename used in an include/require statement in the CookieHint WP plugin. This flaw permits an attacker to read arbitrary local files through the PHP application, potentially exposing sensitive configuration data or credentials and creating a path to further exploitation. It corresponds to CWE-98, the improper control of filename in include/require statements.

Affected Systems

The plugin CookieHint WP from reDim GmbH is affected in all releases up to and including version 1.0.0. Any WordPress site running a vulnerable version of this plugin is at risk.

Risk and Exploitability

The base CVSS score of 7.5 classifies the issue as high severity. The EPSS score of less than 1% indicates a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to send a crafted request to the plugin’s include endpoint to trigger the local file inclusion; the exploit is local to the web application and does not require elevated privileges.

Generated by OpenCVE AI on April 29, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check if a newer version of the CookieHint WP plugin is available that addresses the LFI vulnerability, and upgrade if such a patch exists.
  • If an upgrade is not immediately feasible, consider disabling the CookieHint WP plugin or restricting web access to the plugin’s files via web server configuration.
  • As a temporary workaround, modify the plugin’s code to sanitize any file parameters or restrict include paths to a secure, isolated directory.

Generated by OpenCVE AI on April 29, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in reDim GmbH CookieHint WP allows PHP Local File Inclusion.This issue affects CookieHint WP: from n/a through 1.0.0. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in reDim GmbH CookieHint WP cookiehint-wp allows PHP Local File Inclusion.This issue affects CookieHint WP: from n/a through <= 1.0.0.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 29 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 29 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 29 Dec 2025 16:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in reDim GmbH CookieHint WP allows PHP Local File Inclusion.This issue affects CookieHint WP: from n/a through 1.0.0.
Title WordPress CookieHint WP plugin <= 1.0.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:32.148Z

Reserved: 2025-12-24T14:00:24.760Z

Link: CVE-2025-68870

cve-icon Vulnrichment

Updated: 2025-12-29T16:50:33.872Z

cve-icon NVD

Status : Deferred

Published: 2025-12-29T17:15:47.067

Modified: 2026-04-23T15:36:10.570

Link: CVE-2025-68870

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T18:30:17Z

Weaknesses