What the vulnerability does
01Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Benjamin Denis SEOPress for MainWP seopress-for-mainwp allows PHP Local File Inclusion.This issue affects SEOPress for MainWP: from n/a through <= 1.4.
Explanation of Vulnerability in Simple Terms
02Summary
SEOPress for MainWP versions 1.4 and earlier contain a code injection vulnerability that allows an attacker to execute arbitrary code on the site. The vulnerability requires user interaction—the victim must click a malicious link or visit a crafted page. An attacker with no prior authentication can exploit this to gain full control of the affected WordPress installation.
What an attacker can do
03Attacker Capabilities
Execute arbitrary code on the WordPress site and take full control of it.
Potential impact on your site
04Site Impact
An attacker can run malicious code, steal data, modify content, or compromise user accounts on your site.
Conditions required to exploit
05Prerequisites
The site admin or user must click a malicious link or visit an attacker-controlled page (user interaction required).
Key dates
06Disclosure timeline
August 20, 2025
CVE published
April 28, 2026
Record updated