Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes LuxeDrive luxedrive allows PHP Local File Inclusion.This issue affects LuxeDrive: from n/a through <= 1.0.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The vulnerability originates from insufficient validation of file names in PHP include/require statements used by the Mikado‑Themes LuxeDrive theme. An attacker who can influence the filename parameter can force the theme to load arbitrary files from the WordPress server. When exploited, the attacker could read sensitive configuration files, user credentials, or any other local files, providing a foothold that could be leveraged for further compromise. The weakness aligns with CWE‑98, representing unvalidated input leading to unintended file inclusion.

Affected Systems

All WordPress installations that have the Mikado‑Themes LuxeDrive theme version 1.0 or earlier are affected. The issue exists from the first release of the theme through the v1.0 version, and no newer stable releases have been announced.

Risk and Exploitability

The CVSS base score of 8.1 communicates a high severity, with potential confidentiality and integrity impacts. The EPSS score is below 1 %, indicating that large‑scale exploitation has not yet been observed, and the vulnerability does not appear in the CISA KEV catalog. Based on the description, the attack vector likely involves a crafted HTTP request to the theme’s file handling logic, enabling local file disclosure or execution if additional weaknesses are present.

Generated by OpenCVE AI on March 26, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or remove the LuxeDrive theme from affected WordPress sites.
  • Ensure that the theme’s files and directories are not directly accessible via the web by configuring file permissions or using .htaccess rules to restrict access.
  • Verify that any remaining plugins or themes do not provide similar file inclusion paths and keep them updated.
  • Monitor web server logs for attempts to access theme directories and file paths that could indicate exploitation attempts.
  • Contact Mikado‑Themes for an official fix or upgrade path; in the absence of a patch, consider replacing the theme with a secure, maintained alternative.

Generated by OpenCVE AI on March 26, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes luxedrive
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes luxedrive
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes LuxeDrive luxedrive allows PHP Local File Inclusion.This issue affects LuxeDrive: from n/a through <= 1.0.
Title WordPress LuxeDrive theme <= 1.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Luxedrive
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:10.351Z

Reserved: 2026-02-17T13:23:51.341Z

Link: CVE-2026-27076

cve-icon Vulnrichment

Updated: 2026-03-26T15:07:44.811Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:55.050

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-27076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:25Z

Weaknesses