Impact
The Mikado Core WordPress plugin versions up to 1.6 suffer a local file inclusion flaw that permits unauthenticated users to read arbitrary files on the server. This weakness, identified as CWE‑98, enables attackers to reveal sensitive data such as configuration files, credentials, or other confidential information and could facilitate further compromise of the underlying host or applications. The impact is confined to the web application context but can lead to significant confidentiality and integrity violations.
Affected Systems
WordPress sites that have the Mikado Core plugin version 1.6 or older installed are affected. The plugin is distributed by Mikado‑Themes under the product name Mikado Core. No specific sub‑versions are listed, so all releases through 1.6 are considered vulnerable.
Risk and Exploitability
The CVSS score of 8.1 marks this as a high‑severity flaw. No EPSS value is published, so the current exploitation likelihood is unknown, but unauthenticated file inclusion is a well‑known attack vector that can be triggered through crafted HTTP requests. The vulnerability is not listed in the CISA KEV catalog, yet its potential to expose sensitive files makes it a high‑risk target for attackers targeting WordPress instances.
OpenCVE Enrichment