Description
Unauthenticated Local File Inclusion in Mikado Core <= 1.6 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Mikado Core WordPress plugin versions up to 1.6 suffer a local file inclusion flaw that permits unauthenticated users to read arbitrary files on the server. This weakness, identified as CWE‑98, enables attackers to reveal sensitive data such as configuration files, credentials, or other confidential information and could facilitate further compromise of the underlying host or applications. The impact is confined to the web application context but can lead to significant confidentiality and integrity violations.

Affected Systems

WordPress sites that have the Mikado Core plugin version 1.6 or older installed are affected. The plugin is distributed by Mikado‑Themes under the product name Mikado Core. No specific sub‑versions are listed, so all releases through 1.6 are considered vulnerable.

Risk and Exploitability

The CVSS score of 8.1 marks this as a high‑severity flaw. No EPSS value is published, so the current exploitation likelihood is unknown, but unauthenticated file inclusion is a well‑known attack vector that can be triggered through crafted HTTP requests. The vulnerability is not listed in the CISA KEV catalog, yet its potential to expose sensitive files makes it a high‑risk target for attackers targeting WordPress instances.

Generated by OpenCVE AI on June 18, 2026 at 14:07 UTC.

Remediation

Vendor Solution

Update the WordPress Mikado Core Plugin to the latest available version (at least 1.7.2).


OpenCVE Recommended Actions

  • Update the Mikado Core plugin to version 1.7.2 or later; the vendor’s CNA recommends this fix.
  • If an immediate update is not possible, remove or deactivate the Mikado Core plugin and restrict PHP file inclusion on the server to minimize exposure.
  • Configure PHP to set allow_url_include = Off and ensure that open_basedir is properly set to restrict file inclusion.

Generated by OpenCVE AI on June 18, 2026 at 14:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes mikado Core
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes mikado Core
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Mikado Core <= 1.6 versions.
Title WordPress Mikado Core plugin <= 1.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Mikado-themes Mikado Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:36:44.694Z

Reserved: 2026-04-07T10:48:15.448Z

Link: CVE-2026-39537

cve-icon Vulnrichment

Updated: 2026-06-17T12:36:35.924Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:15:06Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')