Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jegtheme JNews - Pay Writer jnews-pay-writer allows PHP Local File Inclusion.This issue affects JNews - Pay Writer: from n/a through <= 11.0.0.
Published: 2026-01-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

jnews-pay-writer contains improper handling of filenames in an include/require statement, allowing a local file inclusion flaw. An attacker can trick the plugin into reading or executing arbitrary files on the server, potentially exposing sensitive data or running malicious code. The weakness is noted as CWE‑98 and can lead to confidentiality, integrity, or availability compromise depending on what files are accessed.

Affected Systems

The vulnerability affects Jegtheme's JNews – Pay Writer plugin up to and including version 11.0.0. Users running this plugin or earlier versions are exposed.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity LFI risk, while the EPSS score of less than 1% suggests a low current exploitation probability. The flaw is not listed in the CISA KEV catalog. The likely attack vector involves supplying a crafted parameter that the plugin evaluates without proper validation, which may be possible over an unauthenticated web request if the vulnerable endpoint is publicly accessible. Overall risk remains elevated until the vendor releases a fix.

Generated by OpenCVE AI on April 29, 2026 at 10:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update JNews – Pay Writer to the latest version that removes the LFI vulnerability.
  • If an immediate update is not possible, restrict access to any plugin endpoints that trigger file inclusion, for example by employing a firewall rule or adjusting web server configuration to block arbitrary file path requests.
  • If the plugin is not required, disable or uninstall it until a patch is available.

Generated by OpenCVE AI on April 29, 2026 at 10:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Jnews
Jnews jnews
Wordpress
Wordpress wordpress
Vendors & Products Jnews
Jnews jnews
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jegtheme JNews - Pay Writer jnews-pay-writer allows PHP Local File Inclusion.This issue affects JNews - Pay Writer: from n/a through <= 11.0.0.
Title WordPress JNews - Pay Writer plugin <= 11.0.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Jnews Jnews
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:08:18.631Z

Reserved: 2025-12-24T14:00:54.031Z

Link: CVE-2025-68905

cve-icon Vulnrichment

Updated: 2026-01-27T20:59:24.067Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:14.360

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-68905

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:00:10Z

Weaknesses