{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25382", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:01.429Z", "datePublished": "2026-03-25T16:14:47.198Z", "dateUpdated": "2026-03-25T16:14:47.198Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "idealauto", "product": "IdealAuto", "vendor": "jwsthemes", "versions": [{"changes": [{"at": "3.8.6", "status": "unaffected"}], "lessThanOrEqual": "< 3.8.6", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:27.884Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes IdealAuto idealauto allows PHP Local File Inclusion.<p>This issue affects IdealAuto: from n/a through < 3.8.6.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes IdealAuto idealauto allows PHP Local File Inclusion.This issue affects IdealAuto: from n/a through < 3.8.6."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:47.198Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/idealauto/vulnerability/wordpress-idealauto-theme-3-8-6-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress IdealAuto theme < 3.8.6 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes IdealAuto idealauto allows PHP Local File Inclusion.This issue affects IdealAuto: from n/a through < 3.8.6."}], "id": "CVE-2026-25382", "lastModified": "2026-03-25T17:16:48.667", "metrics": {}, "published": "2026-03-25T17:16:48.667", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/idealauto/vulnerability/wordpress-idealauto-theme-3-8-6-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:56:52.785502+00:00", "value": {"mitigation_remediation": ["Upgrade the IdealAuto theme to version 3.8.6 or later", "If an upgrade is not immediately possible, replace or deactivate the theme until a patch is applied", "Monitor the site for unauthorized file inclusion attempts or execution of unexpected PHP code", "Enable additional security layers such as web application firewalls or file integrity monitoring"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Local File Inclusion"}, "threat_synthesis": {"affected_systems": "WordPress installations using the IdealAuto theme version 3.8.5 or earlier are affected. All users of jwsthemes' IdealAuto theme prior to version 3.8.6 should treat the system as vulnerable until the theme is updated.", "description_and_impact": "Improper control of the filename used in a PHP include/require statement allows an attacker to include arbitrary local files on the server. This vulnerability can expose sensitive configuration files, user data, or even lead to execution of arbitrary PHP code, effectively granting remote code execution capabilities to a malicious actor.", "risk_and_exploitability": "The CVSS score is not disclosed, and the EPSS metric is unavailable, but the vulnerability is classified as high risk because it permits inclusion of arbitrary local files. The likely attack vector is an HTTP request that manipulates the include path parameter; based on the description, it is inferred that an attacker can construct a malicious URL to trigger the vulnerability. Since the vulnerability is listed in publicly available security advisories, it is likely to be actively exploited by attackers seeking to compromise WordPress sites."}}}}, "created": "2026-03-25T21:44:43.037877+00:00", "updated": "2026-03-25T21:44:43.037969+00:00", "vendors": []}