{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69383", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:13:11.108Z", "datePublished": "2026-02-20T15:46:53.941Z", "dateUpdated": "2026-04-28T20:57:47.752Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wpshop", "product": "WP shop", "vendor": "Agence web Eoxia - Montpellier", "versions": [{"lessThanOrEqual": "2.6.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Skalucy | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:11.370Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Agence web Eoxia - Montpellier WP shop wpshop allows PHP Local File Inclusion.<p>This issue affects WP shop: from n/a through <= 2.6.1.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Agence web Eoxia - Montpellier WP shop wpshop allows PHP Local File Inclusion.This issue affects WP shop: from n/a through <= 2.6.1."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:39.777Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wpshop/vulnerability/wordpress-wp-shop-plugin-2-6-1-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress WP shop plugin <= 2.6.1 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T20:08:21.983830Z", "id": "CVE-2025-69383", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:57:47.752Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69383", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T20:08:21.983830Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T20:08:10.958Z"}}], "cna": {"title": "WordPress WP shop plugin <= 2.6.1 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Skalucy | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "affected": [{"vendor": "Agence web Eoxia - Montpellier", "product": "WP shop", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 2.6.1"}], "packageName": "wpshop", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-02-20T16:44:21.684Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wpshop/vulnerability/wordpress-wp-shop-plugin-2-6-1-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Agence web Eoxia - Montpellier WP shop wpshop allows PHP Local File Inclusion.This issue affects WP shop: from n/a through <= 2.6.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Agence web Eoxia - Montpellier WP shop wpshop allows PHP Local File Inclusion.<p>This issue affects WP shop: from n/a through <= 2.6.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-02-20T15:46:53.941Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69383", "state": "PUBLISHED", "dateUpdated": "2026-02-24T20:08:30.147Z", "dateReserved": "2025-12-31T20:13:11.108Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-20T15:46:53.941Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Agence web Eoxia - Montpellier WP shop wpshop allows PHP Local File Inclusion.This issue affects WP shop: from n/a through <= 2.6.1."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en un programa PHP ('Inclusi\u00f3n Remota de Ficheros PHP') vulnerabilidad en Agence web Eoxia - Montpellier WP shop wpshop permite la Inclusi\u00f3n Local de Ficheros PHP. Este problema afecta a WP shop: desde n/a hasta &lt;= 2.6.1."}], "id": "CVE-2025-69383", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-20T16:22:23.023", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wpshop/vulnerability/wordpress-wp-shop-plugin-2-6-1-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.6.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "WP shop", "source": "cna", "vendor": "Agence web Eoxia - Montpellier"}, "product": "wp_shop", "vendor": "agence_web_eoxia_-_montpellier"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-27T20:21:12.765270+00:00", "value": {"mitigation_remediation": ["Upgrade WP shop plugin to the latest released version (greater than 2.6.1).", "If a newer version is not yet available, modify the plugin's file inclusion logic to use a fixed, whitelisted path or hard\u2011code the filenames instead of relying on user input. ", "Restrict file permissions and disable PHP execution in the plugin directory by adding appropriate .htaccess rules or server configuration directives."], "summary": {"action": "Update Plugin", "impact": "Local File Inclusion in WordPress WP shop plugin"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the WP shop plugin developed by Agence web Eoxia \u2013 Montpellier for WordPress sites. All releases from the earliest available version up to and including version 2.6.1 are affected. Site administrators using this plugin should check the installed version and apply remediation steps promptly.", "description_and_impact": "The flaw arises from inadequate validation of file names used in PHP include/require statements within the WP shop plugin. An attacker who can influence the input that determines the file path can trigger the plugin to include arbitrary local files. This may expose sensitive information or, if the attacker can provide a malicious file, allow execution of arbitrary PHP code within the application. The weakness maps to CWE\u201198, which covers improper controls over the filenames that are processed by program code.", "risk_and_exploitability": "The CVSS score of 7.5 reflects a high severity potential impact. Exploitation requires an attacker to supply a crafted filename that the plugin will include; the probability of exploitation is currently low, with an EPSS score of less than 1%. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is that an attacker gains control over the filename used in an include or require call, possibly via a form field or query parameter exposed by the plugin."}}}}, "created": "2026-02-23T14:37:11.356953+00:00", "updated": "2026-04-27T20:30:12.273456+00:00", "vendors": ["agence_web_eoxia_-_montpellier", "agence_web_eoxia_-_montpellier$PRODUCT$wp_shop", "wordpress", "wordpress$PRODUCT$wordpress"]}