{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32531", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:24.776Z", "datePublished": "2026-03-25T16:15:09.570Z", "dateUpdated": "2026-03-25T20:11:40.537Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "kunco", "product": "Kunco", "vendor": "gavias", "versions": [{"changes": [{"at": "1.4.5", "status": "unaffected"}], "lessThanOrEqual": "< 1.4.5", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:42.808Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kunco kunco allows PHP Local File Inclusion.<p>This issue affects Kunco: from n/a through < 1.4.5.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kunco kunco allows PHP Local File Inclusion.This issue affects Kunco: from n/a through < 1.4.5."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:09.570Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/kunco/vulnerability/wordpress-kunco-theme-1-4-5-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Kunco theme < 1.4.5 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:11:25.963844Z", "id": "CVE-2026-32531", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:11:40.537Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32531", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T20:11:25.963844Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:11:19.044Z"}}], "cna": {"title": "WordPress Kunco theme < 1.4.5 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "affected": [{"vendor": "gavias", "product": "Kunco", "versions": [{"status": "affected", "changes": [{"at": "1.4.5", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 1.4.5"}], "packageName": "kunco", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:42.808Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/kunco/vulnerability/wordpress-kunco-theme-1-4-5-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kunco kunco allows PHP Local File Inclusion.This issue affects Kunco: from n/a through < 1.4.5.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kunco kunco allows PHP Local File Inclusion.<p>This issue affects Kunco: from n/a through < 1.4.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:09.570Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32531", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:11:40.537Z", "dateReserved": "2026-03-12T11:12:24.776Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:15:09.570Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kunco kunco allows PHP Local File Inclusion.This issue affects Kunco: from n/a through < 1.4.5."}], "id": "CVE-2026-32531", "lastModified": "2026-03-25T21:16:44.300", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:17:06.547", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/kunco/vulnerability/wordpress-kunco-theme-1-4-5-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:16:37.236240+00:00", "value": {"mitigation_remediation": ["Upgrade the Kunco theme to version 1.4.5 or later."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The affected application is the WordPress Kunco theme by Gavias. Versions from the earliest release up to, but not including, 1.4.5 are vulnerable. Any WordPress site using Kunco prior to 1.4.5 may be impacted.", "description_and_impact": "The vulnerability arises from improper control of filenames used in PHP include or require statements within the Kunco theme. An attacker who can influence the filename parameter can cause the theme to include arbitrary local files. This may expose sensitive data or allow execution of malicious code, potentially leading to a data breach or compromise of the hosted system.", "risk_and_exploitability": "Because the vulnerability allows inclusion of files controlled by user input, it can be exploited remotely through crafted URLs if the theme exposes such parameters. No CVSS score is provided, but the nature of Local File Inclusion combined with the lack of input validation indicates significant risk for attackers who can target exposed endpoints. The issue is not listed in KEV and no EPSS score is available, yet the potential for code execution warrants immediate attention."}}}}, "created": "2026-03-25T21:47:09.877769+00:00", "updated": "2026-03-25T21:47:09.877800+00:00", "vendors": []}