Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in omnipressteam Omnipress omnipress allows PHP Local File Inclusion.This issue affects Omnipress: from n/a through <= 1.6.7.
Published: 2026-01-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The Omnipress WordPress plugin contains an improper control of filename in its include/require logic, allowing an attacker to cause the plugin to include arbitrary files from the local filesystem. This flaw may enable the execution of injected PHP code or the disclosure of sensitive files such as configuration or user data. The weakness is a classic Local File Inclusion vulnerability mapped to CWE-98.

Affected Systems

The affected product is the Omnipress plugin developed by the Omnipressteam team. Versions from the earliest release up to and including 1.6.7 are impacted.

Risk and Exploitability

The vulnerability carries a CVSS base score of 7.6, indicating a moderate to high potential impact. The EPSS score is less than 1 %, suggesting a low probability of exploitation at the current time, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the attack vector requires an attacker to send a crafted request to the plugin’s vulnerable endpoint, likely targeting authenticated admin users or users able to access certain plugin pages. If an attacker can embed a PHP file that is subsequently included, remote code execution could be achieved. While the low EPSS score mitigates immediate threat, the potential impact warrants prompt action.

Generated by OpenCVE AI on April 16, 2026 at 17:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Omnipress plugin to the latest release (≥1.6.8) issued by omnipressteam.
  • If an upgrade cannot be performed right away, temporarily deactivate the Omnipress plugin via the WordPress admin interface to remove the vulnerable code path.
  • Deploy a web application firewall rule that blocks requests containing directory traversal sequences (../) or null byte payloads targeting Omnipress endpoints, thereby reducing the likelihood of successful LFI attempts.

Generated by OpenCVE AI on April 16, 2026 at 17:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in omnipressteam Omnipress omnipress allows PHP Local File Inclusion.This issue affects Omnipress: from n/a through <= 1.6.6. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in omnipressteam Omnipress omnipress allows PHP Local File Inclusion.This issue affects Omnipress: from n/a through <= 1.6.7.
Title WordPress Omnipress plugin <= 1.6.6 - Local File Inclusion vulnerability WordPress Omnipress plugin <= 1.6.7 - Local File Inclusion vulnerability

Mon, 26 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Omnipressteam
Omnipressteam omnipress
Wordpress
Wordpress wordpress
Vendors & Products Omnipressteam
Omnipressteam omnipress
Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in omnipressteam Omnipress omnipress allows PHP Local File Inclusion.This issue affects Omnipress: from n/a through <= 1.6.6.
Title WordPress Omnipress plugin <= 1.6.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Omnipressteam Omnipress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:05.671Z

Reserved: 2026-01-23T12:31:40.820Z

Link: CVE-2026-24538

cve-icon Vulnrichment

Updated: 2026-01-26T19:06:19.342Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:09.893

Modified: 2026-04-23T15:36:47.647

Link: CVE-2026-24538

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:00:11Z

Weaknesses