Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Boutique kute-boutique allows PHP Local File Inclusion.This issue affects Boutique: from n/a through <= 2.3.3.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The vulnerability stems from improper control of filenames used in PHP include/require statements within the WordPress Boutique theme. This flaw allows an attacker to cause the application to include arbitrary local files, potentially exposing sensitive configuration files or logs. If the included files contain executable code, an attacker could achieve remote code execution, giving full control over the compromised site.

Affected Systems

WordPress sites deploying the kutethemes Boutique theme, version 2.3.3 or earlier. The issue applies to all releases from the initial launch up to and including 2.3.3. Users of newer versions are not affected.

Risk and Exploitability

No CVSS score is available and the EPSS value is missing, but the flaw is severe due to its potential to lead to arbitrary code execution. The vulnerability can be exploited remotely by manipulating URLs or input that feeds the filename variable, making it accessible to anyone hosting the affected theme. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, but the lack of a public exploit does not diminish the risk, as the attack path is straightforward and requires no special conditions.

Generated by OpenCVE AI on April 8, 2026 at 09:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the boutique theme to version 2.3.4 or later, applying any vendor‑supplied security patches
  • Disable or remove the theme if an immediate update is not possible, to prevent exploitation
  • Ensure the theme directory and included files have strict file permissions so that sensitive data cannot be read by the web server

Generated by OpenCVE AI on April 8, 2026 at 09:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Kutethemes
Kutethemes boutique
Wordpress
Wordpress wordpress
Vendors & Products Kutethemes
Kutethemes boutique
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Boutique kute-boutique allows PHP Local File Inclusion.This issue affects Boutique: from n/a through <= 2.3.3.
Title WordPress Boutique theme <= 2.3.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Kutethemes Boutique
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:24.110Z

Reserved: 2026-04-07T10:57:27.973Z

Link: CVE-2026-39613

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:31.050

Modified: 2026-04-08T21:26:35.910

Link: CVE-2026-39613

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:42:03Z

Weaknesses