Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nK Visual Portfolio, Photo Gallery & Post Grid visual-portfolio allows PHP Local File Inclusion.This issue affects Visual Portfolio, Photo Gallery & Post Grid: from n/a through <= 3.5.1.
Published: 2026-03-25
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch Now
AI Analysis

Impact

The Visual Portfolio, Photo Gallery & Post Grid plugin contains an improper handling of file names supplied in PHP include/require statements. An attacker can supply a crafted path that causes the server to read or execute files from the local filesystem. This flaw can lead to the disclosure of sensitive data or arbitrary code execution within the context of the WordPress site, compromising confidentiality and integrity.

Affected Systems

Any WordPress installation that has the Visual Portfolio, Photo Gallery & Post Grid plugin installed and running a version through 3.5.1 is impacted. The flaw exists in all releases from the plugin’s earliest public version up to and including 3.5.1.

Risk and Exploitability

The severity score of 7.5 classifies the issue as high. No public exploits have been documented at the time of writing. The likely attack vector is through a publicly accessible interface or administrative setting that accepts file path input, allowing an attacker to trigger the inclusion of malicious or sensitive files. Full exploitation requires the attacker to have write or read access to the site’s file system path specified by the plugin’s code.

Generated by OpenCVE AI on March 26, 2026 at 00:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Visual Portfolio, Photo Gallery & Post Grid plugin to a version newer than 3.5.1, if such a release exists.
  • If an update is not immediately possible, deactivate the plugin entirely to remove the local file inclusion path.
  • Perform a file system audit to ensure that no files that could be referenced by the plugin remain accessible via the web root.
  • Monitor the WordPress plugin repository or the vendor’s update channel for a patch and apply it as soon as it becomes available.

Generated by OpenCVE AI on March 26, 2026 at 00:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Visualportfolio
Visualportfolio visual Portfolio, Photo Gallery & Post Grid
Wordpress
Wordpress wordpress
Vendors & Products Visualportfolio
Visualportfolio visual Portfolio, Photo Gallery & Post Grid
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nK Visual Portfolio, Photo Gallery & Post Grid visual-portfolio allows PHP Local File Inclusion.This issue affects Visual Portfolio, Photo Gallery & Post Grid: from n/a through <= 3.5.1.
Title WordPress Visual Portfolio, Photo Gallery & Post Grid plugin <= 3.5.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Visualportfolio Visual Portfolio, Photo Gallery & Post Grid
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T20:08:46.372Z

Reserved: 2026-03-12T11:12:24.777Z

Link: CVE-2026-32537

cve-icon Vulnrichment

Updated: 2026-03-25T20:08:31.940Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:17:07.427

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32537

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:16Z

Weaknesses