Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebGeniusLab iRecco Core irecco-core allows PHP Local File Inclusion.This issue affects iRecco Core: from n/a through <= 1.3.6.
Published: 2026-01-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The iRecco Core plugin for WordPress contains improper validation of filename parameters used in PHP include/require directives, which creates a Local File Inclusion flaw. An attacker who can influence these parameters can read arbitrary local files or execute code if the file is included by the application, potentially compromising the confidentiality, integrity, and availability of the site.

Affected Systems

The affected product is the WebGeniusLab iRecco Core WordPress plugin, specifically versions up to and including 1.3.6.

Risk and Exploitability

The CVSS score of 8.1 indicates serious potential impact. The EPSS score of less than 1% suggests that the likelihood of exploitation at present is very low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is web‑based; an unauthenticated or authenticated user could craft a URL or form submission that points the vulnerable parameter to a sensitive local file, enabling data disclosure or execution. Given the severity and the possibility of remote code execution, prompt remediation is advised.

Generated by OpenCVE AI on April 29, 2026 at 11:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest iRecco Core plugin version 1.3.7 or newer to eliminate the vulnerability.
  • If an upgrade cannot be performed immediately, disable or remove the iRecco Core plugin to eliminate the attack surface.
  • Configure file system permissions and open_basedir restrictions to limit the paths that can be included by PHP, thereby mitigating Local File Inclusion risks.

Generated by OpenCVE AI on April 29, 2026 at 11:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 29 Jan 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebGeniusLab iRecco Core irecco-core allows PHP Local File Inclusion.This issue affects iRecco Core: from n/a through <= 1.3.6.
Title WordPress iRecco Core plugin <= 1.3.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:35:28.212Z

Reserved: 2025-12-29T11:18:51.165Z

Link: CVE-2025-69046

cve-icon Vulnrichment

Updated: 2026-01-27T15:43:01.672Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:17.913

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69046

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:30:09Z

Weaknesses