Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes IdealAuto idealauto allows PHP Local File Inclusion.This issue affects IdealAuto: from n/a through < 3.8.6.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch
AI Analysis

Impact

The vulnerability in jwsthemes IdealAuto results from an uncontrolled use of user input in an include/require statement, allowing Local File Inclusion. An attacker can supply a crafted path in the request, causing the theme to read arbitrary files from the server. This exposure can lead to the disclosure of sensitive files and, on some server configurations, execution of code. The weakness is classified as CWE-98. The entry’s description confirms the flaw permits PHP Local File Inclusion.

Affected Systems

Affected products include the IdealAuto theme for WordPress from any version up to, but not including, 3.8.6. The vendor jwsthemes has not specified a patch in the provided references and control is required for versions prior to 3.8.6.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity vulnerability, with an EPSS score below 1% suggesting low current exploitation probability. The defect is not listed in the CISA KEV catalog. Attackers can likely exploit the flaw through a web request that references the vulnerable parameter, making remote exploitation possible. Admins should prioritize patching, as failing to mitigate could allow attackers to read sensitive information or potentially run code on the server.

Generated by OpenCVE AI on March 26, 2026 at 18:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update IdealAuto theme to the latest version (3.8.6 or newer) as soon as possible.
  • If an update cannot be applied immediately, deactivate the theme or switch to a trusted alternative.
  • Apply web application firewall rules to block suspicious query parameters that could trigger file inclusion.

Generated by OpenCVE AI on March 26, 2026 at 18:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Jwsthemes
Jwsthemes idealauto
Wordpress
Wordpress wordpress
Vendors & Products Jwsthemes
Jwsthemes idealauto
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes IdealAuto idealauto allows PHP Local File Inclusion.This issue affects IdealAuto: from n/a through < 3.8.6.
Title WordPress IdealAuto theme < 3.8.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Jwsthemes Idealauto
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:09.338Z

Reserved: 2026-02-02T12:53:01.429Z

Link: CVE-2026-25382

cve-icon Vulnrichment

Updated: 2026-03-26T17:03:16.413Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:48.667

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-25382

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:45:48Z

Weaknesses