{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25326", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:29.366Z", "datePublished": "2026-02-19T08:26:56.504Z", "dateUpdated": "2026-04-28T16:14:55.554Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "cmsmasters-content-composer", "product": "CMSMasters Content Composer", "vendor": "cmsmasters", "versions": [{"changes": [{"at": "1.4.6", "status": "unaffected"}], "lessThanOrEqual": "1.4.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:04.195Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows PHP Local File Inclusion.<p>This issue affects CMSMasters Content Composer: from n/a through <= 1.4.5.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows PHP Local File Inclusion.This issue affects CMSMasters Content Composer: from n/a through <= 1.4.5."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:55.554Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/cmsmasters-content-composer/vulnerability/wordpress-cmsmasters-content-composer-plugin-1-4-5-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress CMSMasters Content Composer plugin <= 1.4.5 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T16:08:05.875876Z", "id": "CVE-2026-25326", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T12:59:52.056Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25326", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:52:29.366Z", "datePublished": "2026-02-19T08:26:56.504Z", "dateUpdated": "2026-04-28T12:59:52.056Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "cmsmasters-content-composer", "product": "CMSMasters Content Composer", "vendor": "cmsmasters", "versions": [{"changes": [{"at": "1.4.6", "status": "unaffected"}], "lessThanOrEqual": "1.4.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:26:42.461Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows PHP Local File Inclusion.<p>This issue affects CMSMasters Content Composer: from n/a through <= 1.4.5.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows PHP Local File Inclusion.This issue affects CMSMasters Content Composer: from n/a through <= 1.4.5."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:49.146Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/cmsmasters-content-composer/vulnerability/wordpress-cmsmasters-content-composer-plugin-1-4-5-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress CMSMasters Content Composer plugin <= 1.4.5 - Local File Inclusion vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25326", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-20T16:08:05.875876Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T16:07:21.736Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows PHP Local File Inclusion.This issue affects CMSMasters Content Composer: from n/a through <= 1.4.5."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en un programa PHP ('PHP Inclusi\u00f3n remota de ficheros') vulnerabilidad en cmsmasters CMSMasters Content Composer cmsmasters-content-composer permite PHP Inclusi\u00f3n local de ficheros. Este problema afecta a CMSMasters Content Composer: desde n/a hasta &lt;= 1.4.5."}], "id": "CVE-2026-25326", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-19T09:16:17.220", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/cmsmasters-content-composer/vulnerability/wordpress-cmsmasters-content-composer-plugin-1-4-5-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "CMSMasters Content Composer", "source": "cna", "vendor": "cmsmasters"}, "product": "cmsmasters_content_composer", "vendor": "cmsmasters"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T16:59:19.523865+00:00", "value": {"mitigation_remediation": ["Upgrade CMSMasters Content Composer to a version newer than 1.4.5, which removes the insecure include logic.", "If an upgrade cannot be performed immediately, disable the plugin or restrict access to its admin interface so that the include functionality is not exposed to web users.", "On the server, configure PHP to disable allow_url_include and set open_basedir to restrict the directories that can be accessed by include/require calls.", "Remove or set restrictive permissions on any writable directories that the plugin may use for included files, ensuring that uploaded files cannot be executed."], "summary": {"action": "Apply patch", "impact": "Local file inclusion potentially enabling remote code execution or information disclosure"}, "threat_synthesis": {"affected_systems": "The issue affects WordPress sites that have the CMSMasters Content Composer plugin version 1.4.5 or earlier. No other WordPress core or plugin versions are explicitly listed as vulnerable. Users operating a WordPress installation with this plugin and a vulnerable version are at risk if the plugin\u2019s file inclusion functionality is reachable from the web.", "description_and_impact": "The CMSMasters Content Composer plugin has a flaw that lets attackers control the filename used in a PHP include/require statement. This LFI vulnerability could allow reading of sensitive files or, if the attacker can place a file in a writable directory, could be exploited for code execution. The weakness is a classic example of improper input control, classified as CWE\u201198. Based on the description, it is inferred that an attacker who can trigger the plugin\u2019s file inclusion logic could potentially read local files, but actual exploitation to run arbitrary code would depend on the server\u2019s configuration and writable paths.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog, reducing its current prominence. Exploitation would require an attacker to influence the filename parameter used by the plugin\u2019s internal include/require call, most likely through a crafted HTTP request to the plugin's interface. Because the flaw permits local file inclusion, the attack vector is remote via the web interface, but the payload would be limited to the local filesystem unless an attacker can upload a file to a writable directory. The potential for RCE is inferred from the nature of LFI; however, direct evidence of such exploitation is not provided in the available data."}}}}, "created": "2026-02-20T10:08:58.151762+00:00", "updated": "2026-04-16T17:00:09.397731+00:00", "vendors": ["cmsmasters", "cmsmasters$PRODUCT$cmsmasters_content_composer", "wordpress", "wordpress$PRODUCT$wordpress"]}