{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27080", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:58.963Z", "datePublished": "2026-03-25T16:14:55.336Z", "dateUpdated": "2026-03-25T16:14:55.336Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "deston", "product": "Deston", "vendor": "Mikado-Themes", "versions": [{"lessThanOrEqual": "<= 1.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:35.074Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Deston deston allows PHP Local File Inclusion.<p>This issue affects Deston: from n/a through <= 1.0.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Deston deston allows PHP Local File Inclusion.This issue affects Deston: from n/a through <= 1.0."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:55.336Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/deston/vulnerability/wordpress-deston-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Deston theme <= 1.0 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Deston deston allows PHP Local File Inclusion.This issue affects Deston: from n/a through <= 1.0."}], "id": "CVE-2026-27080", "lastModified": "2026-03-25T17:16:55.570", "metrics": {}, "published": "2026-03-25T17:16:55.570", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/deston/vulnerability/wordpress-deston-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "deston", "vendor": "mikado-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T19:26:02.872742+00:00", "value": {"mitigation_remediation": ["Upgrade the Deston theme to the latest version available, which resolves the LFI issue.", "If upgrading immediately is not possible, replace the vulnerable include statement with a hard\u2011coded path or validate the filename against a whitelist to prevent arbitrary file inclusion.", "If the theme cannot be patched or replaced, deactivate or remove the Deston theme to eliminate the attack surface.", "Monitor the WordPress installation for abnormal PHP file executions and inspect the wp-content directory for unexpected files."], "summary": {"action": "Patch Now", "impact": "Local File Inclusion, potentially enabling remote code execution"}, "threat_synthesis": {"affected_systems": "The Deston theme distributed by Mikado\u2011Themes is affected. All released versions through and including version 1.0 contain the flaw. No specific sub\u2011versions beyond 1.0 are enumerated.", "description_and_impact": "This vulnerability is a local file inclusion flaw in the Mikado\u2011Themes Deston WordPress theme up to version 1.0. It arises from improper control of the filename used in an include/require statement, allowing an attacker to specify arbitrary file paths. The flaw can lead to disclosure of sensitive local files or, if an attacker supplies a PHP file, execution of arbitrary code with the permissions of the web application. Based on the description it is inferred that the vulnerability may allow remote code execution if the attacker can load a PHP payload.", "risk_and_exploitability": "The CVSS severity score is not provided in the available data, and no EPSS score is available, leaving the precise exploitation likelihood unclear. The LFI flaw can be triggered when an attacker can influence the target URL or form input that determines the file name. The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting it may not yet be widely exploited. Nonetheless, the potential for remote code execution underscores a high risk that should be addressed promptly."}}}}, "created": "2026-03-25T21:43:57.018638+00:00", "updated": "2026-03-26T11:37:54.964823+00:00", "vendors": ["mikado-themes", "mikado-themes$PRODUCT$deston", "wordpress", "wordpress$PRODUCT$wordpress"]}