Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kunco kunco allows PHP Local File Inclusion.This issue affects Kunco: from n/a through < 1.4.5.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an improper control of filenames used in PHP include/require statements within the Gavias Kunco WordPress theme, which allows PHP Local File Inclusion. This flaw permits an attacker to read arbitrary local files on the server, potentially exposing sensitive configuration, credentials, or code files, thereby compromising confidentiality.

Affected Systems

All releases of the Gavias Kunco theme before version 1.4.5 are affected. The issue is fixed in version 1.4.5 and any later releases. Sites currently running any earlier version of the theme are vulnerable.

Risk and Exploitability

The CVSS base score of 8.1 indicates a high‑severity flaw. There is no available EPSS score and the vulnerability is not listed in the CISA KEV catalog, suggesting limited or no recorded exploitation in the wild. Based on the description, it is inferred that an attacker can supply crafted input through a web request to influence the filename used by the theme's include/require function, thereby achieving file disclosure. The likely attack vector is remote: an attacker can supply crafted input that controls the filename in the include/require statement via web requests. Exploitation requires web access to the affected WordPress installation and can lead to arbitrary file disclosure, which may aid further compromise.

Generated by OpenCVE AI on March 26, 2026 at 00:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Kunco theme to version 1.4.5 or later
  • If the update cannot be applied immediately, disable or remove the Kunco theme until a patch is available

Generated by OpenCVE AI on March 26, 2026 at 00:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Gavias
Gavias kunco
Wordpress
Wordpress wordpress
Vendors & Products Gavias
Gavias kunco
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kunco kunco allows PHP Local File Inclusion.This issue affects Kunco: from n/a through < 1.4.5.
Title WordPress Kunco theme < 1.4.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Gavias Kunco
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-25T20:11:40.537Z

Reserved: 2026-03-12T11:12:24.776Z

Link: CVE-2026-32531

cve-icon Vulnrichment

Updated: 2026-03-25T20:11:19.044Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:17:06.547

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32531

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:12:20Z

Weaknesses