Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Belfort belfort allows PHP Local File Inclusion.This issue affects Belfort: from n/a through <= 1.0.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from improper control of a filename in a PHP include/require statement within the Belfort theme, allowing local file inclusion. By exploiting this flaw, an attacker can read or execute arbitrary files on the server, potentially leading to remote code execution and total compromise of the WordPress site.

Affected Systems

WordPress installations that use the Belfort theme from its initial release through version 1.0 are affected.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity risk. An EPSS score of less than 1% shows a low probability of current exploitation, and the issue is not listed in CISA’s KEV catalog. The likely attack vector is either unauthenticated or requires minimal privileges, leveraging the theme’s include logic. An attacker would need to manipulate a request that triggers the vulnerable include to read or execute files.

Generated by OpenCVE AI on March 26, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Belfort theme to a version higher than 1.0 when a patch is released by the vendor.
  • If an update cannot be applied immediately, review the site’s file permissions and restrict access to sensitive files or directories.
  • Sanitize all file paths used in theme include statements or disable dynamic includes if possible.
  • Monitor web server logs for attempts to access unexpected file paths.
  • Verify the latest vendor advisories and apply security updates as soon as they become available.

Generated by OpenCVE AI on March 26, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes belfort
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes belfort
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Belfort belfort allows PHP Local File Inclusion.This issue affects Belfort: from n/a through <= 1.0.
Title WordPress Belfort theme <= 1.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Belfort
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:35:30.528Z

Reserved: 2026-02-17T13:23:51.341Z

Link: CVE-2026-27075

cve-icon Vulnrichment

Updated: 2026-03-26T18:25:48.820Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:54.923

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-27075

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:26Z

Weaknesses