Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Rosebud rosebud allows PHP Local File Inclusion.This issue affects Rosebud: from n/a through <= 1.4.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch Theme
AI Analysis

Impact

The Rosebud theme uses an include/require statement that is not properly validated, enabling an attacker to influence the file that PHP loads. This flaw can lead to the inclusion of arbitrary local files on the server, potentially exposing sensitive configuration files or other data stored within the theme. The vulnerability description does not state that the included file is executed as code, so the primary risk is data disclosure through Local File Inclusion.

Affected Systems

All versions of the Mikado Themes Rosebud theme up to and including 1.4 are affected. WordPress sites that have any of these releases installed are at risk, regardless of other plugins or host settings, because the flaw resides in the theme itself.

Risk and Exploitability

The CVSS score of 8.1 reflects high potential impact, while the EPSS score is reported to be below 1 %, indicating low likelihood of widespread exploitation. The flaw is not listed in the CISA KEV catalog. Attackers will likely need to craft a request that manipulates the include path to point to a local file; this inference is based on the description of local file inclusion.

Generated by OpenCVE AI on March 26, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Rosebud theme to a newer version than 1.4 or apply any vendor‑supplied patch if available.
  • Check the vendor’s website for updates or advisories.

Generated by OpenCVE AI on March 26, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes rosebud
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes rosebud
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Rosebud rosebud allows PHP Local File Inclusion.This issue affects Rosebud: from n/a through <= 1.4.
Title WordPress Rosebud theme <= 1.4 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Rosebud
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:35:29.919Z

Reserved: 2026-02-17T13:23:58.963Z

Link: CVE-2026-27081

cve-icon Vulnrichment

Updated: 2026-03-26T18:25:41.302Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:55.700

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-27081

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:21Z

Weaknesses