What the vulnerability does
01Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codeworkweb CWW Portfolio cww-portfolio allows PHP Local File Inclusion.This issue affects CWW Portfolio: from n/a through <= 1.3.1.
Explanation of Vulnerability in Simple Terms
02Summary
CWW Portfolio versions up to 1.3.1 contain a vulnerability that allows an attacker to read sensitive data, modify site content, or disrupt service. The attack requires network access and user interaction—typically the victim must click a malicious link or visit a crafted page. The vulnerability stems from improper input handling (CWE-98). Site administrators should update immediately when a patch becomes available.
What an attacker can do
03Attacker Capabilities
Read sensitive data, modify site content, or cause the site to become unavailable.
Potential impact on your site
04Site Impact
Attackers can steal data, deface your portfolio, or take the site offline without needing a user account.
Conditions required to exploit
05Prerequisites
Victim must click a malicious link or visit an attacker-controlled page; no authentication required.
Key dates
06Disclosure timeline
April 24, 2025
CVE published
May 12, 2026
Record updated