Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Dolcino dolcino allows PHP Local File Inclusion.This issue affects Dolcino: from n/a through <= 1.6.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion potentially leading to Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from improper control of the filename used in PHP include/require statements within the Dolcino theme, allowing an attacker to specify arbitrary files for inclusion. When exploited, this can enable reading of arbitrary files from the server’s filesystem, and if that file contains PHP code it may lead to execution of attacker‑controlled code. The weakness is identified as CWE‑98.

Affected Systems

The flaw exists in the Mikado‑Themes Dolcino WordPress theme for all releases from the earliest supported version up to and including version 1.6; no later releases contain this issue.

Risk and Exploitability

The CVSS base score of 8.1 indicates a high severity when the flaw is successfully leveraged. However, the EPSS score of less than 1% suggests the likelihood of active exploitation is low, and the vulnerability is not presently listed in the CISA Known Exploited Vulnerabilities catalog. The most likely attack vector involves a local file inclusion path discovered through the theme’s file handling logic, and successful exploitation would require the ability to control the filename parameter. Given these conditions, while the overall probability of exploitation remains low, the impact of correct exploitation is substantial.

Generated by OpenCVE AI on April 16, 2026 at 12:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Dolcino to any release newer than 1.6 to eliminate the LFI code path.
  • If upgrading is not immediately possible, disable the theme and remove any files that could be included through theme functions, then configure a whitelist of acceptable include paths or use a sanitization routine to prevent dynamic file inclusion.
  • Restrict file system permissions on the WordPress installation so that the web server process cannot read critical configuration or upload directories, thereby limiting the scope of information that could be exposed through LFI.

Generated by OpenCVE AI on April 16, 2026 at 12:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes dolcino
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes dolcino
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Dolcino dolcino allows PHP Local File Inclusion.This issue affects Dolcino: from n/a through <= 1.6.
Title WordPress Dolcino theme <= 1.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Dolcino
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:45.388Z

Reserved: 2026-01-07T12:21:56.449Z

Link: CVE-2026-22410

cve-icon Vulnrichment

Updated: 2026-03-09T16:54:17.133Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:14.757

Modified: 2026-03-09T18:16:18.137

Link: CVE-2026-22410

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:00:11Z

Weaknesses