CVE-2026-27077 - Vulnerability Details

- WordPress MultiOffice theme <= 1.2 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes MultiOffice multioffice allows PHP Local File Inclusion.This issue affects MultiOffice: from n/a through <= 1.2.

Published: 2026-03-25

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An improper control of the filename for the PHP include/require construct in the Mikado‑Themes MultiOffice theme allows an attacker to retrieve arbitrary files from the server. By manipulating the path value, a malicious user could read sensitive files such as configuration files, credentials, or source code. If a writable file is accessible, the attacker could inject PHP code that may be executed on the server, giving full control over the site. The weakness is a classic PHP Local File Inclusion scenario, aligned with CWE‑98. The resultant loss of confidentiality, integrity, and potentially availability follows the typical LFI chain, which may lead to complete compromise of the WordPress installation.

Affected Systems

WordPress sites that use the Mikado‑Themes MultiOffice theme version 1.2 or earlier are affected. No other vendors or products are listed as vulnerable.

Risk and Exploitability

The CVSS score of 8.1 classifies the issue as high severity. The EPSS score indicates a low probability of exploitation in the short term, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote: an attacker can supply a crafted request to the theme on a publicly accessible WordPress site to trigger the include/require with a controlled filename. No additional conditions are specified, so the vulnerability appears exploitable with minimal effort on a properly exposed site.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mikado-Themes

MultiOffice

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.2

No data.

Vendor Product Confidence Versions

Mikado-themes

Multioffice

100%

Version	Status	Scheme	Platform
`[0,1.2]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to the latest MultiOffice theme version that no longer includes this vulnerability.
If an update is not immediately possible, remove or deactivate the theme and switch to a secure default theme.
Prevent local file inclusion by disabling PHP file inclusion from untrusted paths and setting open_basedir restrictions in the server configuration.
Verify that the WordPress installation is up to date and that all other plugins and themes have the latest security patches.

Generated by OpenCVE AI on March 26, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00151.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/multioffice/vulnerability/wordpress-multioffice-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve

History

Thu, 26 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mikado-themes Mikado-themes multioffice Wordpress Wordpress wordpress
Vendors & Products		Mikado-themes Mikado-themes multioffice Wordpress Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes MultiOffice multioffice allows PHP Local File Inclusion.This issue affects MultiOffice: from n/a through <= 1.2.
Title		WordPress MultiOffice theme <= 1.2 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://patchstack.com/database/Wordpress/Theme/multioffice/vulnerability/wordpress-multioffice-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve

Subscriptions

Mikado-themes Multioffice

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-25T16:14:54.843Z

Updated: 2026-04-24T15:35:30.345Z

Reserved: 2026-02-17T13:23:51.341Z

Link: CVE-2026-27077

Vulnrichment

Updated: 2026-03-26T18:25:46.208Z

NVD

Status : Deferred

Published: 2026-03-25T17:16:55.180

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-27077

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T09:31:24Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object