Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3.
Published: 2026-01-08
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion (Potential Remote Code Execution)
Action: Apply update
AI Analysis

Impact

A flaw exists in how the Mikado-Themes Curly WordPress theme processes file names for PHP include/require calls, allowing attackers to point the theme at arbitrary local files. If an attacker can specify a file that contains PHP code, that code can be executed on the server, leading to full remote control of the site. The weakness is a classic Local File Inclusion issue classified as CWE‑98.

Affected Systems

WordPress sites adopting the Curly theme from any unreleased revision up to, but not including, version 3.3 are affected. This includes any installation where the theme’s include logic is reachable, typically through theme‑specific widgets or page templates.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1, indicating high severity. The EPSS score is less than 1 %, suggesting exploitation is currently rare, and the issue is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local file inclusion via crafted theme requests; the attacker must have the ability to influence the include path, which could be achieved through the theme’s front‑end controls or by manipulating query parameters. Successful exploitation would enable reading sensitive files or executing arbitrary PHP to gain full compromise of the WordPress instance.

Generated by OpenCVE AI on April 27, 2026 at 21:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Curly theme to version 3.3 or newer, which removes the insecure include logic.
  • If an upgrade is not immediately possible, disable any theme functionality that allows arbitrary file paths or remove the include statements that reference user‑controlled input.
  • Configure PHP to set allow_url_include to Off and, if applicable, apply open_basedir restrictions to prevent access to sensitive directories.
  • Continuously monitor web application logs for abnormal attempts to include local files and enforce strict input validation on any theme‑related parameters.

Generated by OpenCVE AI on April 27, 2026 at 21:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 29 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Qodeinteractive
Qodeinteractive curly
CPEs cpe:2.3:a:qodeinteractive:curly:*:*:*:*:*:wordpress:*:*
Vendors & Products Qodeinteractive
Qodeinteractive curly

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes curly
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes curly
Wordpress
Wordpress wordpress

Thu, 08 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3.
Title WordPress Curly theme < 3.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Curly
Qodeinteractive Curly
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:26:48.530Z

Reserved: 2025-12-15T09:59:55.701Z

Link: CVE-2025-67936

cve-icon Vulnrichment

Updated: 2026-01-08T18:39:22.940Z

cve-icon NVD

Status : Modified

Published: 2026-01-08T10:15:52.810

Modified: 2026-02-03T19:16:14.787

Link: CVE-2025-67936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:45:14Z

Weaknesses