| Severity | Description | ||||||
|---|---|---|---|---|---|---|---|
| CVE-2026-12923 | High | 7.5 v3 | - | - | -No fix available yet | 2026-07-01 | The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation of the 'path' parameter in the emd_delete_file() AJAX handler in includes/common-functions.php. The user-supplied value is passed through sanitize_text_field(), has its trailing '_PLUGIN_DIR' substring stripped, and is then invoked as a PHP function name with no arguments via `$sess_name()`. The handler is gated only by a nonce — no current_user_can() check is present — and the nonce is emitted on any front-end page that renders a form shortcode containing file fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke arbitrary zero-argument PHP functions (such as phpinfo, phpvers |
| CVE-2026-57647 | High | 7.5 v3 | 0.3% | - | -No fix available yet | 2026-06-26 | Contributor Local File Inclusion in Panorama Viewer – 360 Degree Image + Video Viewer <= 1.6.1 versions. |
| CVE-2025-68064 | High | 7.5 v3 | 0.3% | - | -No fix available yet | 2026-06-26 | Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions. |
| CVE-2025-68063 | High | 7.5 v3 | 0.3% | - | -No fix available yet | 2026-06-26 | Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions. |
| CVE-2026-54845 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-25 | Unauthenticated Local File Inclusion in MDTF <= 1.3.8 versions. |
| CVE-2019-25760 | Medium | 6.2 v3 | 0.4% | - | -No fix available yet | 2026-06-19 | Joomla! Component Easy Shop 1.2.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by supplying base64-encoded file paths. Attackers can send GET requests to index.php with the option parameter set to com_easyshop, task set to ajax.loadImage, and a base64-encoded file path in the file parameter to retrieve sensitive files like configuration.php and system files. |
| CVE-2026-7515 | Critical | 9.8 v3 | 0.9% | - | -No fix available yet | 2026-06-19 | The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. |
| CVE-2026-48820 | Medium | 6.3 v4 | 0.3% | - | -No fix available yet | 2026-06-17 | CakePHP is a rapid development framework for PHP. In versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5, View::_getElementFileName() does not check that the resolved element path is within the application/plugin view template paths. When element names are created with specifically crafted user-supplied data this weakness can be leveraged to include other PHP files on the server. Patched releases are available in 5.3.6, 5.2.13, 5.1.7, 4.6.4, and 4.5.11. |
| CVE-2026-54814 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors allows PHP Local File Inclusion. This issue affects Motors: from n/a through 1.4.109. |
| CVE-2026-39590 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Atomlab <= 2.4.5 versions. |
| CVE-2026-39559 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Uppercase < 1.2.2 versions. |
| CVE-2026-39523 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Solene Core <= 2.3.2 versions. |
| CVE-2025-69175 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Line Agency <= 1.3.1 versions. |
| CVE-2025-69174 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Etude <= 1.6 versions. |
| CVE-2025-69170 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Eventicity <= 1.5 versions. |
| CVE-2025-69166 | High | 8.1 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Gunslinger <= 1.7 versions. |
| CVE-2025-69164 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Skyward <= 1.10 versions. |
| CVE-2025-69158 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Granola <= 1.13 versions. |
| CVE-2025-69157 | High | 8.1 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Gamic <= 1.15 versions. |
| CVE-2025-69144 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Preservation <= 1.10 versions. |
| CVE-2025-69126 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Fortius <= 2.3.0 versions. |
| CVE-2025-69123 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Snow Club <= 1.1 versions. |
| CVE-2025-69120 | High | 8.1 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Dazzle <= 1.0.0 versions. |
| CVE-2025-69115 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in LuxMed | Medicine & Healthcare Doctor WordPress Theme <= 1.2.2 versions. |
| CVE-2025-69106 | High | 8.1 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Imba <= 1.5.0 versions. |
| CVE-2026-40731 | High | 8.1 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in ChapterOne <= 1.7 versions. |
| CVE-2026-40721 | High | 7.5 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Contributor Local File Inclusion in Element Pack Pro <= 9.0.6 versions. |
| CVE-2026-39582 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Hitek < 1.8.3 versions. |
| CVE-2026-39568 | High | 8.1 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Mr. SEO <= 2.0 versions. |
| CVE-2026-39558 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Malmö <= 2.2 versions. |
| CVE-2026-39549 | High | 8.1 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Aperitif <= 1.5 versions. |
| CVE-2026-39547 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Getaway < 1.8 versions. |
| CVE-2026-39537 | High | 8.1 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Mikado Core <= 1.6 versions. |
| CVE-2026-39522 | High | 8.1 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Solene <= 3.4 versions. |
| CVE-2026-34895 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Softlab Core < 1.2.11 versions. |
| CVE-2026-34894 | High | 8.1 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Integrio Core < 1.2.8 versions. |
| CVE-2026-34893 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Thegov Core < 2.0.23 versions. |
| CVE-2026-22338 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in EcoBlue <= 1.15 versions. |
| CVE-2026-22331 | High | 8.1 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in AutoParts <= 1.5.8 versions. |
| CVE-2026-22330 | High | 8.1 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Right Way <= 4.0 versions. |
| CVE-2026-22326 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Reprizo <= 1.0.8 versions. |
| CVE-2026-22325 | High | 8.1 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Promo <= 1.3.0 versions. |
| CVE-2025-69178 | High | 8.1 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Truemag <= 4.3.14.2 versions. |
| CVE-2025-69177 | High | 8.1 v3 | 0.5% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Roneous <= 2.1.5 versions. |
| CVE-2025-69176 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in ITactics <= 1.0 versions. |
| CVE-2025-69173 | High | 8.1 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Tipsy <= 1.1 versions. |
| CVE-2025-69172 | High | 8.1 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Resurs <= 1.3 versions. |
| CVE-2025-69171 | High | 8.1 v3 | 0.3% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Orpheus <= 1.3 versions. |
| CVE-2025-69168 | High | 8.1 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Spike <= 1.2 versions. |
| CVE-2025-69167 | High | 8.1 v3 | 0.4% | - | -No fix available yet | 2026-06-17 | Unauthenticated Local File Inclusion in Eros <= 1.3 versions. |
- HighCVSS 7.5 v3·EPSS -·No fix yet
The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation of the 'path' parameter in the emd_delete_file() AJAX handler in includes/common-functions.php. The user-supplied value is passed through sanitize_text_field(), has its trailing '_PLUGIN_DIR' substring stripped, and is then invoked as a PHP function name with no arguments via `$sess_name()`. The handler is gated only by a nonce — no current_user_can() check is present — and the nonce is emitted on any front-end page that renders a form shortcode containing file fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke arbitrary zero-argument PHP functions (such as phpinfo, phpvers
Published 2026-07-01
- HighCVSS 7.5 v3·EPSS 0.3%·No fix yet
Contributor Local File Inclusion in Panorama Viewer – 360 Degree Image + Video Viewer <= 1.6.1 versions.
Published 2026-06-26
- HighCVSS 7.5 v3·EPSS 0.3%·No fix yet
Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions.
Published 2026-06-26
- HighCVSS 7.5 v3·EPSS 0.3%·No fix yet
Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions.
Published 2026-06-26
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in MDTF <= 1.3.8 versions.
Published 2026-06-25
- MediumCVSS 6.2 v3·EPSS 0.4%·No fix yet
Joomla! Component Easy Shop 1.2.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by supplying base64-encoded file paths. Attackers can send GET requests to index.php with the option parameter set to com_easyshop, task set to ajax.loadImage, and a base64-encoded file path in the file parameter to retrieve sensitive files like configuration.php and system files.
Published 2026-06-19
- CriticalCVSS 9.8 v3·EPSS 0.9%·No fix yet
The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Published 2026-06-19
- MediumCVSS 6.3 v4·EPSS 0.3%·No fix yet
CakePHP is a rapid development framework for PHP. In versions 4.5.11 and earlier, 4.6.0 through 4.6.3, 5.0.0 through 5.1.6, 5.2.0 through 5.2.12, and 5.3.0 through 5.3.5, View::_getElementFileName() does not check that the resolved element path is within the application/plugin view template paths. When element names are created with specifically crafted user-supplied data this weakness can be leveraged to include other PHP files on the server. Patched releases are available in 5.3.6, 5.2.13, 5.1.7, 4.6.4, and 4.5.11.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors allows PHP Local File Inclusion. This issue affects Motors: from n/a through 1.4.109.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in Atomlab <= 2.4.5 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in Uppercase < 1.2.2 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in Solene Core <= 2.3.2 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in Line Agency <= 1.3.1 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in Etude <= 1.6 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in Eventicity <= 1.5 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.4%·No fix yet
Unauthenticated Local File Inclusion in Gunslinger <= 1.7 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in Skyward <= 1.10 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in Granola <= 1.13 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.4%·No fix yet
Unauthenticated Local File Inclusion in Gamic <= 1.15 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in Preservation <= 1.10 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in Fortius <= 2.3.0 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in Snow Club <= 1.1 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.4%·No fix yet
Unauthenticated Local File Inclusion in Dazzle <= 1.0.0 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in LuxMed | Medicine & Healthcare Doctor WordPress Theme <= 1.2.2 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.4%·No fix yet
Unauthenticated Local File Inclusion in Imba <= 1.5.0 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.4%·No fix yet
Unauthenticated Local File Inclusion in ChapterOne <= 1.7 versions.
Published 2026-06-17
- HighCVSS 7.5 v3·EPSS 0.4%·No fix yet
Contributor Local File Inclusion in Element Pack Pro <= 9.0.6 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in Hitek < 1.8.3 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.4%·No fix yet
Unauthenticated Local File Inclusion in Mr. SEO <= 2.0 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in Malmö <= 2.2 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.4%·No fix yet
Unauthenticated Local File Inclusion in Aperitif <= 1.5 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in Getaway < 1.8 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.4%·No fix yet
Unauthenticated Local File Inclusion in Mikado Core <= 1.6 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.4%·No fix yet
Unauthenticated Local File Inclusion in Solene <= 3.4 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in Softlab Core < 1.2.11 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.4%·No fix yet
Unauthenticated Local File Inclusion in Integrio Core < 1.2.8 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in Thegov Core < 2.0.23 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in EcoBlue <= 1.15 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.4%·No fix yet
Unauthenticated Local File Inclusion in AutoParts <= 1.5.8 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.4%·No fix yet
Unauthenticated Local File Inclusion in Right Way <= 4.0 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in Reprizo <= 1.0.8 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.4%·No fix yet
Unauthenticated Local File Inclusion in Promo <= 1.3.0 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.4%·No fix yet
Unauthenticated Local File Inclusion in Truemag <= 4.3.14.2 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.5%·No fix yet
Unauthenticated Local File Inclusion in Roneous <= 2.1.5 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in ITactics <= 1.0 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.4%·No fix yet
Unauthenticated Local File Inclusion in Tipsy <= 1.1 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.4%·No fix yet
Unauthenticated Local File Inclusion in Resurs <= 1.3 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.3%·No fix yet
Unauthenticated Local File Inclusion in Orpheus <= 1.3 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.4%·No fix yet
Unauthenticated Local File Inclusion in Spike <= 1.2 versions.
Published 2026-06-17
- HighCVSS 8.1 v3·EPSS 0.4%·No fix yet
Unauthenticated Local File Inclusion in Eros <= 1.3 versions.
Published 2026-06-17
Uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog.