CVE-2026-48972 - Vulnerability Details

- WordPress SeedProd Pro plugin < 6.19.5 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SeedProd LLC SeedProd Pro allows PHP Local File Inclusion.

This issue affects SeedProd Pro: from n/a before 6.19.5.

Published: 2026-05-27

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an improper control of filenames in the PHP include/require statement used by SeedProd Pro. An attacker can supply a crafted path to a plugin endpoint, causing the application to include an arbitrary local file. This flaw can expose confidential files or, if the file contains executable PHP code, lead to remote code execution. The weakness aligns with CWE-98 and is classified as a Local File Inclusion (LFI).

Affected Systems

SeedProd LLC SeedProd Pro is impacted for all releases prior to version 6.19.5. The affected product is the WordPress plugin SeedProd Pro, and any WordPress site that has installed a version older than 6.19.5 is vulnerable. No specific sub‑versions are listed, so all builds before 6.19.5 should be considered at risk until patched.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact vulnerability. The EPSS score is not available, and the issue is not currently listed in CISA KEV. Based on the description, the attack vector is local file inclusion, which typically requires the attacker to supply a malicious path to the plugin. The exploitation does not require additional authentication beyond the usual plugin access, making it feasible in situations where the plugin is exposed to the public web interface. Due to the absence of a known exploit in the wild, the immediate threat remains theoretical, but the high severity warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

SeedProd LLC

SeedProd Pro

unaffected

Version	Status	Constraints
`n/a`	affected	< 6.19.5

No data.

Vendor Product Confidence Versions

Seedprod Llc

Seedprod Pro

100%

Version	Status	Scheme	Platform
`[0,6.19.5)`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Update the WordPress SeedProd Pro Plugin to the latest available version (at least 6.19.5).

OpenCVE Recommended Actions

Update SeedProd Pro to version 6.19.5 or later to remove the vulnerable include logic.
Restrict filesystem permissions on WordPress and plugin directories so that the web server can read only necessary files, preventing access to sensitive content that could be included via LFI.
Configure a web application firewall or server rule to block requests that contain path traversal sequences (e.g., '..') or other LFI patterns targeting the plugin’s file inclusion endpoint.

Generated by OpenCVE AI on May 27, 2026 at 19:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00309.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/wordpress/plugin/seedprod-coming-soon-pro-5/vulnerability/wordpress-seedprod-pro-plugin-6-19-5-local-file-inclusion-vulnerability?_s_id=cve

History

Fri, 29 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Seedprod Llc Seedprod Llc seedprod Pro Wordpress Wordpress wordpress
Vendors & Products		Seedprod Llc Seedprod Llc seedprod Pro Wordpress Wordpress wordpress

Wed, 27 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SeedProd LLC SeedProd Pro allows PHP Local File Inclusion. This issue affects SeedProd Pro: from n/a before 6.19.5.
Title		WordPress SeedProd Pro plugin < 6.19.5 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://patchstack.com/database/wordpress/plugin/seedprod-coming-soon-pro-5/vulnerability/wordpress-seedprod-pro-plugin-6-19-5-local-file-inclusion-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Seedprod Llc Seedprod Pro

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-05-27T13:20:06.474Z

Updated: 2026-05-27T14:46:23.991Z

Reserved: 2026-05-26T19:56:06.748Z

Link: CVE-2026-48972

Vulnrichment

Updated: 2026-05-27T14:46:19.008Z

NVD

Status : Deferred

Published: 2026-05-27T14:17:33.173

Modified: 2026-06-17T10:55:26.170

Link: CVE-2026-48972

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T15:50:47Z

Weaknesses

CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object