Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes GoTravel gotravel allows PHP Local File Inclusion.This issue affects GoTravel: from n/a through <= 2.1.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local file inclusion via the GoTravel WordPress theme
Action: Patch immediately
AI Analysis

Impact

The vulnerability arises from improper control of the filename in a PHP include/require statement within the GoTravel theme, allowing a local file inclusion flaw. An attacker who can influence the include path could read arbitrary files on the server, potentially exposing sensitive data such as configuration files, logs, or application secrets. The flaw does not directly provide remote code execution but can be used as a step toward more severe attacks if combined with other weaknesses.

Affected Systems

Mikado-Themes GoTravel WordPress theme, versions from the initial release up to and including 2.1 are affected. No later versions have been identified as vulnerable.

Risk and Exploitability

The CVSS score of 8.1 categorizes this as a high‑severity vulnerability. The EPSS score is less than 1%, indicating that the probability of automated exploitation is low at present, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a local context where the attacker can supply a path or influence the included file; however, the CVE entry does not detail a remote trigger, so it is inferred that the flaw requires some form of local or privileged access to the server environment.

Generated by OpenCVE AI on April 16, 2026 at 05:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GoTravel theme to the latest version (at least 2.2).
  • Ensure the theme update is complete by verifying the version number via the WordPress admin dashboard or WP‑CLI.
  • If an immediate upgrade is not possible, restrict or remove the directory that accepts user‑provided filenames, and implement input validation or a whitelist of allowed files to mitigate local file inclusion.

Generated by OpenCVE AI on April 16, 2026 at 05:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes gotravel
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes gotravel
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes GoTravel gotravel allows PHP Local File Inclusion.This issue affects GoTravel: from n/a through <= 2.1.
Title WordPress GoTravel theme <= 2.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Gotravel
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:48.126Z

Reserved: 2026-01-07T12:22:06.512Z

Link: CVE-2026-22427

cve-icon Vulnrichment

Updated: 2026-03-09T16:35:42.370Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:16.710

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-22427

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:45:26Z

Weaknesses