CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30596 – WordPress include-file <= 1 - Arbitrary File Download Vulnerability
https://notcve.org/view.php?id=CVE-2025-30596
03 Apr 2025 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in NotFound include-file allows Path Traversal. This issue affects include-file: from n/a through 1. The include-file plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. • https://patchstack.com/database/wordpress/plugin/include-file/vulnerability/wordpress-include-file-1-arbitrary-file-download-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30595 – WordPress include-file - <= <= 1 Cross Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2025-30595
24 Mar 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tstafford include-file allows Stored XSS. This issue affects include-file: from n/a through 1. The include-file plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages th... • https://patchstack.com/database/wordpress/plugin/include-file/vulnerability/wordpress-include-file-1-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •