Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Deston deston allows PHP Local File Inclusion.This issue affects Deston: from n/a through <= 1.0.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion leading to code execution
Action: Immediate Patch
AI Analysis

Impact

The Deston theme for WordPress includes a PHP file inclusion mechanism that does not validate or sanitize the filename used in an include/require statement. This omission allows attackers to cause the application to include arbitrary local files, which may lead to arbitrary PHP code execution. The weakness corresponds to CWE‑98.

Affected Systems

The flaw exists in the Deston theme by Mikado‑Themes for WordPress, affecting every release up to and including version 1.0. Any site that currently uses one of those releases and does not apply a patch is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.1 places this issue in the high‑severity range. EPSS indicates a very low probability of exploitation (< 1 %) and the vulnerability is not yet catalogued in the CISA KEV list. Successful exploitation would require the ability to send a request that triggers the unsanitized include, so the attack vector is inferred to be local or remote depending on the theme’s exposure. Once triggered, the attacker could read or execute code, compromising confidentiality, integrity, and availability of the affected site.

Generated by OpenCVE AI on March 26, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Deston theme to the latest version available (preferably version > 1.0).
  • Verify that the updated theme no longer contains the unsanitized include logic.
  • Configure the web server to limit PHP execution to allowed directories and set open_basedir restrictions.

Generated by OpenCVE AI on March 26, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes deston
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes deston
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Deston deston allows PHP Local File Inclusion.This issue affects Deston: from n/a through <= 1.0.
Title WordPress Deston theme <= 1.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Deston
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:10.672Z

Reserved: 2026-02-17T13:23:58.963Z

Link: CVE-2026-27080

cve-icon Vulnrichment

Updated: 2026-03-26T15:05:43.624Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:55.570

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-27080

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:22Z

Weaknesses