Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes KuteShop kuteshop allows PHP Local File Inclusion.This issue affects KuteShop: from n/a through <= 4.2.9.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch Immediately
AI Analysis

Impact

This vulnerability arises from improper handling of filenames used in PHP include/require calls within the KuteShop theme. An attacker can manipulate a request to cause the theme to include an arbitrary file from the local filesystem, potentially exposing sensitive configuration data or enabling further exploitation. The weakness is classified as CWE‑98, which affects confidentiality and integrity of the WordPress installation.

Affected Systems

WordPress sites that have the KuteShop theme installed and are running a version equal to or older than 4.2.9 are susceptible. Any such installation, regardless of other plugins or themes, must be considered at risk until the theme is upgraded or the flaw is otherwise mitigated.

Risk and Exploitability

The flaw allows local file inclusion and can be triggered from the public-facing side of the site where the theme is active. No CVSS or EPSS score is publicly available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves crafting a GET or POST request that manipulates the file path parameter within the theme’s PHP code, requiring only access to the WordPress site’s web interface.

Generated by OpenCVE AI on April 8, 2026 at 10:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest KuteShop theme version, ensuring it is newer than 4.2.9
  • If an immediate upgrade is not possible, remove or disable the KuteShop theme until a patched version is available
  • Verify that the theme’s include statements are not exposed to user-supplied input by reviewing the code or consulting the vendor’s documentation
  • Ensure the web server’s file permissions are restrictive so that included files cannot expose privileged data

Generated by OpenCVE AI on April 8, 2026 at 10:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Kutethemes
Kutethemes kuteshop
Wordpress
Wordpress wordpress
Vendors & Products Kutethemes
Kutethemes kuteshop
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes KuteShop kuteshop allows PHP Local File Inclusion.This issue affects KuteShop: from n/a through <= 4.2.9.
Title WordPress KuteShop theme <= 4.2.9 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Kutethemes Kuteshop
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:23.760Z

Reserved: 2026-04-07T10:48:55.140Z

Link: CVE-2026-39611

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:30.580

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:42:06Z

Weaknesses