Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in whatwouldjessedo Simple Retail Menus simple-retail-menus allows PHP Local File Inclusion.This issue affects Simple Retail Menus: from n/a through <= 4.2.1.
Published: 2026-02-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary local file read or code execution via inclusion
Action: Apply Patch
AI Analysis

Impact

The plugin contains an improperly controlled filename in a PHP include/require statement, allowing an attacker to trigger local file inclusion. This flaw can enable the attacker to read arbitrary files on the server and, if PHP code is executed from a local file, can lead to full compromise of the WordPress site. The weakness is classified as CWE‑98.

Affected Systems

WordPress sites that use the whatwouldjessedo Simple Retail Menus plugin, version 4.2.1 or earlier. The vulnerability is present in all releases up to and including 4.2.1.

Risk and Exploitability

The CVSS base score of 7.5 indicates considerable risk, but the EPSS score of less than 1% shows a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Because the flaw manifests through an untrusted source parameter for a file include, the likely attack vector is via the plugin’s web interface or through a crafted request that supplies a path to an arbitrary local file. This inference is drawn from the description of improper filename control. Exploitation typically requires the attacker to have access to the server’s file system, but if the attacker can influence the include argument, remote code execution becomes possible.

Generated by OpenCVE AI on April 27, 2026 at 20:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Simple Retail Menus to a version newer than 4.2.1 once the vendor releases a fix.
  • If an immediate upgrade is not feasible, temporarily disable or uninstall the plugin to block the vulnerability.
  • Review and tighten any remaining file inclusion points in the plugin code, ensuring that paths are validated and restricted to trusted directories.

Generated by OpenCVE AI on April 27, 2026 at 20:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Whatwouldjessedo
Whatwouldjessedo simple Retail Menus
Wordpress
Wordpress wordpress
Vendors & Products Whatwouldjessedo
Whatwouldjessedo simple Retail Menus
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in whatwouldjessedo Simple Retail Menus simple-retail-menus allows PHP Local File Inclusion.This issue affects Simple Retail Menus: from n/a through <= 4.2.1.
Title WordPress Simple Retail Menus plugin <= 4.2.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Whatwouldjessedo Simple Retail Menus
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:58:15.855Z

Reserved: 2025-12-31T20:13:11.108Z

Link: CVE-2025-69387

cve-icon Vulnrichment

Updated: 2026-02-24T20:07:55.310Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:24.007

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69387

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:30:12Z

Weaknesses