Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Cocco cocco allows PHP Local File Inclusion.This issue affects Cocco: from n/a through <= 1.5.1.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion (potential arbitrary code execution)
Action: Apply Patch
AI Analysis

Impact

The vulnerability stems from improper control of filenames used in PHP include/require statements within the Mikado‑Themes Cocco WordPress theme. An attacker can manipulate input that is passed to these statements, causing the server to read or execute arbitrary local files. This can lead to information disclosure and, if the included content contains executable code, remote code execution or privilege escalation on the web host.

Affected Systems

Affected products are all releases of the Mikado‑Themes Cocco WordPress theme with version numbers up to and including 1.5.1. No specific sub‑versions are listed; all builds from the earliest available version through 1.5.1 are vulnerable.

Risk and Exploitability

The CVSS base score of 8.1 indicates high severity, while the EPSS score of less than 1 % suggests a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would target the theme via crafted requests that trigger the vulnerable include, potentially leveraging administrative or public access to the theme’s parameters. Inferred attack vector is local file inclusion through manipulated parameters or tampered file paths; further exploitation could achieve code execution if the attacker controls the local files included.

Generated by OpenCVE AI on April 16, 2026 at 05:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cocco theme to the latest available release (1.5.2 or newer) to remove the vulnerable code path.
  • If an upgrade is not immediately possible, restrict access to the theme’s include directories and disable allow_url_include in the PHP configuration, ensuring that only trusted files can be included.
  • Implement strict input validation in the theme’s code or via a web application firewall to whitelist acceptable file paths and reject any attempts to reference files outside the theme’s directory.

Generated by OpenCVE AI on April 16, 2026 at 05:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes cocco
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes cocco
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Cocco cocco allows PHP Local File Inclusion.This issue affects Cocco: from n/a through <= 1.5.1.
Title WordPress Cocco theme <= 1.5.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Cocco
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:41.753Z

Reserved: 2026-01-07T12:21:40.879Z

Link: CVE-2026-22389

cve-icon Vulnrichment

Updated: 2026-03-09T17:05:27.390Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:13.380

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-22389

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:45:26Z

Weaknesses