{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27047", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:18.876Z", "datePublished": "2026-03-25T16:14:53.295Z", "dateUpdated": "2026-03-25T16:14:53.295Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "curly-core", "product": "Curly Core", "vendor": "Mikado-Themes", "versions": [{"lessThanOrEqual": "<= 2.1.6", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:32.024Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly Core curly-core allows PHP Local File Inclusion.<p>This issue affects Curly Core: from n/a through <= 2.1.6.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly Core curly-core allows PHP Local File Inclusion.This issue affects Curly Core: from n/a through <= 2.1.6."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:53.295Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/curly-core/vulnerability/wordpress-curly-core-plugin-2-1-6-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Curly Core plugin <= 2.1.6 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly Core curly-core allows PHP Local File Inclusion.This issue affects Curly Core: from n/a through <= 2.1.6."}], "id": "CVE-2026-27047", "lastModified": "2026-03-25T17:16:53.990", "metrics": {}, "published": "2026-03-25T17:16:53.990", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/curly-core/vulnerability/wordpress-curly-core-plugin-2-1-6-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.6]"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "Curly Core", "source": "cna", "vendor": "Mikado-Themes"}, "product": "curly", "vendor": "mikado-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:46:05.885683+00:00", "value": {"mitigation_remediation": ["Upgrade Curly Core plugin to the latest release (any version newer than 2.1.6).", "If an upgrade is not possible, remove or disable the plugin from the WordPress installation.", "As a temporary mitigation, restrict access to the plugin\u2019s administrative pages to authenticated administrators only, or block the endpoints via firewall rules.", "After applying a fix, monitor web server logs for attempts that match LFI patterns to verify that the vulnerability has been neutralized."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "All releases of Mikado-Themes Curly Core plugin up to and including version 2.1.6 are affected. The plugin is deployed in WordPress sites where it may be publicly accessible. Any site running a vulnerable version can be targeted for the LFI flaw.", "description_and_impact": "Mikado-Themes Curly Core plugin contains an Improper Control of Filename for Include/Require Statement vulnerability (CWE-98). The plugin uses user-supplied input in a PHP require/include call, which allows an attacker to manipulate the filename and cause the server to read or execute arbitrary local files. This can lead to disclosure of sensitive configuration information or the execution of arbitrary code if a PHP file is included. The vulnerability is a Local File Inclusion that potentially compromises confidentiality and integrity of the affected WordPress site.", "risk_and_exploitability": "The CVSS score is not provided, but the flaw is a classic LFI that can give attackers the ability to read local files or execute code on the web server. The EPSS score is not available and the vulnerability is not listed in the KEV catalog. The likely attack vector is a crafted HTTP request to an endpoint that passes a file path to the plugin. If the attacker can reach this endpoint and the plugin processes the input without proper validation, the LFI can be triggered. Because the vulnerability exists in many public installations and requires no privileged access beyond HTTP request capability, the risk of exploitation in the wild is considered moderate to high until a patch is applied."}}}}, "created": "2026-03-25T21:44:09.697576+00:00", "updated": "2026-03-26T11:38:06.115749+00:00", "vendors": ["mikado-themes", "mikado-themes$PRODUCT$curly", "wordpress", "wordpress$PRODUCT$wordpress"]}