CVE-2025-54015

Medium CVSS 6.6

Overview

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in HT Plugins HT Contact Form 7 allows PHP Local File Inclusion. This issue affects HT Contact Form 7: from n/a through 2.0.0.

CWE: CWE-98 Published: 2025-07-16T11:15:28.943

Risk analysis

This vulnerability is rated 🟡 MEDIUM.

CVSS: 6.6 (MEDIUM)
Detected tags: lfi, rfi (tag impact: HIGH)

Recommended actions:

Normalize paths, use allowlists; block user-controlled file paths.
Disable remote includes; enforce strict allowlists.

Overview

Recommended tools

Tags