Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Lekker lekker allows PHP Local File Inclusion.This issue affects Lekker: from n/a through <= 1.8.
Published: 2025-12-30
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Lekker theme for WordPress includes a flaw where the filename used in an include or require statement is not properly controlled, creating a Local File Inclusion vulnerability classified under CWE-98. An attacker who can influence the filename parameter can cause the server to include unintended files, potentially giving the attacker the ability to read sensitive files or execute arbitrary PHP code. The CVSS score of 8.1 reflects the high impact on confidentiality, integrity, and availability if the flaw is exploited.

Affected Systems

This issue affects the Mikado-Themes Lekker WordPress theme, versions n/a through 1.8. Only installations using a version equal to or older than 1.8 are vulnerable; versions 1.9 and later are not impacted.

Risk and Exploitability

The EPSS score is less than 1%, meaning the probability of exploitation is considered very low, and the vulnerability is not listed in CISA’s KEV catalog. However, the high CVSS score indicates that if an attacker gains entry to influence the include path, they could achieve remote code execution or data compromise. The attack likely requires user-supplied input that determines the filename, such as a GET or POST parameter, and does not depend on elevated privileges or privileged services.

Generated by OpenCVE AI on April 29, 2026 at 14:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Lekker theme to version 1.9 or later to remove the vulnerable code
  • If an upgrade is not possible, immediately deactivate any potentially vulnerable include/require calls by ensuring all file paths are hard‑coded or validated against a whitelist of allowed directories
  • Consider disabling the theme until a patch is applied or ensuring the smallest number of users can activate the theme to reduce the attack surface

Generated by OpenCVE AI on April 29, 2026 at 14:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 29 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Qodeinteractive
Qodeinteractive lekker
CPEs cpe:2.3:a:qodeinteractive:lekker:*:*:*:*:*:wordpress:*:*
Vendors & Products Qodeinteractive
Qodeinteractive lekker

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes lekker
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes lekker
Wordpress
Wordpress wordpress

Tue, 30 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Lekker lekker allows PHP Local File Inclusion.This issue affects Lekker: from n/a through <= 1.8.
Title WordPress Lekker theme <= 1.8 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Lekker
Qodeinteractive Lekker
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:35.040Z

Reserved: 2025-12-29T11:18:40.733Z

Link: CVE-2025-69034

cve-icon Vulnrichment

Updated: 2026-01-05T13:10:29.494Z

cve-icon NVD

Status : Modified

Published: 2025-12-30T11:16:02.063

Modified: 2026-04-27T20:16:26.340

Link: CVE-2025-69034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T15:00:13Z

Weaknesses