Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Dør dor allows PHP Local File Inclusion.This issue affects Dør: from n/a through <= 2.4.
Published: 2025-11-06
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper control of filenames in PHP include/require statements, classified as CWE‑98, that permits an attacker to include arbitrary local files while the Dør theme processes requests. If the attacker can influence the path, they may read sensitive configuration files or execute injected PHP code, leading to information disclosure or remote code execution.

Affected Systems

The Mikado‑Themes WordPress theme Dør, versions n/a through 2.4, is affected. This includes every WordPress installation that has any of those versions installed, whether the theme is currently active or not.

Risk and Exploitability

With a CVSS score of 8.1, the vulnerability represents high severity. The EPSS score of less than 1% indicates a low current exploitation likelihood, and it is not listed in CISA’s KEV catalog. Likely exploitation requires sending crafted HTTP requests to the site that trigger the vulnerable include. Depending on server configuration, success could give an attacker access to local files or the ability to run arbitrary code in the web‐server context.

Generated by OpenCVE AI on April 30, 2026 at 14:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Dør theme to a version newer than 2.4 that removes the vulnerable include path.
  • If an upgrade is not possible, deactivate or uninstall the Dør theme until a secure version is released.
  • Restrict file‑system permissions so the web server cannot read sensitive configuration files, and configure WordPress to allow includes only from a pre‑defined whitelist.
  • As an interim measure, implement input sanitization on any parameters that influence file includes within the theme to ensure only expected filenames are processed.

Generated by OpenCVE AI on April 30, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 29 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Qodeinteractive
Qodeinteractive dor
CPEs cpe:2.3:a:qodeinteractive:dor:*:*:*:*:*:wordpress:*:*
Vendors & Products Qodeinteractive
Qodeinteractive dor

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Mon, 10 Nov 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes dor
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes dor
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Dør dor allows PHP Local File Inclusion.This issue affects Dør: from n/a through <= 2.4.
Title WordPress Dør theme <= 2.4 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Dor
Qodeinteractive Dor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:32.128Z

Reserved: 2025-04-16T06:23:36.340Z

Link: CVE-2025-39466

cve-icon Vulnrichment

Updated: 2025-11-10T19:41:06.543Z

cve-icon NVD

Status : Modified

Published: 2025-11-06T16:15:50.903

Modified: 2026-04-27T19:16:13.297

Link: CVE-2025-39466

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T14:45:24Z

Weaknesses