{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69374", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:13:05.451Z", "datePublished": "2026-02-20T15:46:51.890Z", "dateUpdated": "2026-04-28T20:56:24.847Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ele-blog", "product": "Eleblog \u2013 Elementor Blog And Magazine Addons", "vendor": "SolverWp", "versions": [{"lessThanOrEqual": "2.0.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:03:46.826Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Eleblog \u2013 Elementor Blog And Magazine Addons ele-blog allows PHP Local File Inclusion.<p>This issue affects Eleblog \u2013 Elementor Blog And Magazine Addons: from n/a through <= 2.0.3.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Eleblog \u2013 Elementor Blog And Magazine Addons ele-blog allows PHP Local File Inclusion.This issue affects Eleblog \u2013 Elementor Blog And Magazine Addons: from n/a through <= 2.0.3."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:39.649Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ele-blog/vulnerability/wordpress-eleblog-elementor-blog-and-magazine-addons-plugin-2-0-3-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Eleblog \u2013 Elementor Blog And Magazine Addons plugin <= 2.0.3 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T20:32:19.320207Z", "id": "CVE-2025-69374", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:56:24.847Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69374", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T20:32:19.320207Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T20:32:20.829Z"}}], "cna": {"title": "WordPress Eleblog \u2013 Elementor Blog And Magazine Addons plugin <= 2.0.3 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "affected": [{"vendor": "SolverWp", "product": "Eleblog \u2013 Elementor Blog And Magazine Addons", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.0.3"}], "packageName": "ele-blog", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:03:46.826Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/ele-blog/vulnerability/wordpress-eleblog-elementor-blog-and-magazine-addons-plugin-2-0-3-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Eleblog \u2013 Elementor Blog And Magazine Addons ele-blog allows PHP Local File Inclusion.This issue affects Eleblog \u2013 Elementor Blog And Magazine Addons: from n/a through <= 2.0.3.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Eleblog \u2013 Elementor Blog And Magazine Addons ele-blog allows PHP Local File Inclusion.<p>This issue affects Eleblog \u2013 Elementor Blog And Magazine Addons: from n/a through <= 2.0.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:24.926Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69374", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:24.926Z", "dateReserved": "2025-12-31T20:13:05.451Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:51.890Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Eleblog \u2013 Elementor Blog And Magazine Addons ele-blog allows PHP Local File Inclusion.This issue affects Eleblog \u2013 Elementor Blog And Magazine Addons: from n/a through <= 2.0.3."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en programa PHP ('inclusi\u00f3n remota de ficheros PHP') vulnerabilidad en SolverWp Eleblog \u2013 Elementor Blog And Magazine Addons ele-blog permite inclusi\u00f3n local de ficheros PHP. Este problema afecta a Eleblog \u2013 Elementor Blog And Magazine Addons: desde n/a hasta &lt;= 2.0.3."}], "id": "CVE-2025-69374", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:21.717", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ele-blog/vulnerability/wordpress-eleblog-elementor-blog-and-magazine-addons-plugin-2-0-3-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Eleblog \u2013 Elementor Blog And Magazine Addons", "source": "cna", "vendor": "SolverWp"}, "product": "eleblog_\u2013_elementor_blog_and_magazine_addons", "vendor": "solverwp"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:25:06.499941+00:00", "value": {"mitigation_remediation": ["Update the Eleblog plugin to the latest release.", "If updating is not possible, remove or disable the Eleblog addon entirely.", "Restrict write access to the Eleblog directory and block external PHP file access via .htaccess rules."], "summary": {"action": "Apply patch", "impact": "Local file inclusion that can lead to remote code execution on WordPress sites using the Eleblog plugin"}, "threat_synthesis": {"affected_systems": "WordPress installations that have the Eleblog \u2013 Elementor Blog And Magazine Addons plugin installed in any version up to and including 2.0.3. The vulnerability exists from the initial release through version 2.0.3; all current 2.0.3 or older deploys are at risk.", "description_and_impact": "An attacker may exploit a flaw that allows local file inclusion in the WordPress Eleblog \u2013 Elementor Blog And Magazine Addons plugin. The vulnerable code improperly validates filenames used in PHP include or require statements, giving access to arbitrary files on the server. This can enable an attacker to read sensitive files, inject malicious code, or ultimately execute arbitrary server\u2011side code, compromising confidentiality, integrity, and availability.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity. The EPSS score is below 1%, indicating low current exploitation probability, and the vulnerability is not in CISA's KEV catalog. Exploitation would likely involve sending a crafted request to a web endpoint that accepts a filename parameter, forcing the server to include a local file. The attack vector is web\u2011based and may not require authentication, making it potentially reachable to unauthenticated users, but specifics are not detailed in the description."}}}}, "created": "2026-02-23T14:37:19.130020+00:00", "updated": "2026-04-27T20:30:12.274854+00:00", "vendors": ["solverwp", "solverwp$PRODUCT$eleblog_\u2013_elementor_blog_and_magazine_addons", "wordpress", "wordpress$PRODUCT$wordpress"]}