Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes KuteShop kuteshop allows PHP Local File Inclusion.This issue affects KuteShop: from n/a through <= 4.2.9.
Published: 2026-04-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch
AI Analysis

Impact

The KuteShop theme contains an improper control of the filename in a PHP include/require statement that allows a local file inclusion. An attacker who can trigger the vulnerable code can read arbitrary files from the server, and if the file contains executable code, the attacker could potentially run PHP on the server. This weakness can compromise the confidentiality and integrity of the website data and may lead to full site takeover.

Affected Systems

The vulnerability affects the kutethemes KuteShop WordPress theme in all releases up through version 4.2.9. Any WordPress installation that has a KuteShop theme version 4.2.9 or older is potentially exposed.

Risk and Exploitability

The CVSS score is 7.5 and the EPSS score is below 1 percent, indicating a moderate severity with a low expected exploitation probability. The issue is not listed in CISA’s KEV catalog, so no known large‑scale exploit activity is recorded. The likely attack vector is through a crafted HTTP request that causes the theme code to include a local file, which would be feasible on sites where the theme file paths are exposed or where an attacker can influence the include path. Knowledge of the theme’s internal structure and the presence of the vulnerable code would be required to exploit the flaw.

Generated by OpenCVE AI on April 10, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the KuteShop theme to a version newer than 4.2.9 or later.
  • If an update is not immediately possible, replace the theme with a trusted alternative and remove the vulnerable code fragments.
  • Regularly audit the theme files for suspicious changes and monitor access logs for failed include requests.

Generated by OpenCVE AI on April 10, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Kutethemes
Kutethemes kuteshop
Wordpress
Wordpress wordpress
Vendors & Products Kutethemes
Kutethemes kuteshop
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes KuteShop kuteshop allows PHP Local File Inclusion.This issue affects KuteShop: from n/a through <= 4.2.9.
Title WordPress KuteShop theme <= 4.2.9 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Kutethemes Kuteshop
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.574Z

Reserved: 2026-04-07T10:48:55.140Z

Link: CVE-2026-39611

cve-icon Vulnrichment

Updated: 2026-04-10T16:26:51.200Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:30.580

Modified: 2026-04-24T18:06:58.907

Link: CVE-2026-39611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:25:13Z

Weaknesses