Description
Unauthenticated Local File Inclusion in Kastell <= 2.0 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Kastell WordPress theme contains an unauthenticated Local File Inclusion flaw that allows an attacker to read files on the server. By manipulating a parameter that is passed to a file include function, an adversary can cause the theme to include arbitrary files, potentially exposing sensitive configuration or code data. This vulnerability is categorized as a path traversal flaw (CWE‑35) and can compromise confidential information and system integrity if files such as wp-config.php or server logs are accessed.

Affected Systems

This weakness affects WordPress installations that use the Mikado‑Themes Kastell theme, versions 2.0 or older. Sites that have not applied the 2.0.1 update are directly vulnerable.

Risk and Exploitability

The CVSS base score of 8.1 reflects a high severity, while no EPSS score is available and the flaw is not listed in the CISA KEV catalog. Because the vulnerability is unauthenticated and exploitable via a crafted request to a publicly exposed WordPress page, an attacker with network access to the site can trigger the inclusion without special privileges. The lack of remote authentication makes the attack likely from anywhere that can reach the site.

Generated by OpenCVE AI on June 18, 2026 at 11:44 UTC.

Remediation

Vendor Solution

Update the WordPress Kastell theme to the latest available version (at least 2.0.1).


OpenCVE Recommended Actions

  • Install WordPress Kastell theme version 2.0.1 or newer.
  • Confirm the site no longer references the insecure version and remove any old theme files.
  • Review file permissions on the theme directory to limit read access to WordPress processes only.

Generated by OpenCVE AI on June 18, 2026 at 11:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes kastell
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes kastell
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Kastell <= 2.0 versions.
Title WordPress Kastell theme <= 2.0 - Local File Inclusion vulnerability
Weaknesses CWE-35
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Mikado-themes Kastell
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:43:54.324Z

Reserved: 2026-06-08T10:11:13.730Z

Link: CVE-2026-52707

cve-icon Vulnrichment

Updated: 2026-06-17T14:43:14.316Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:41:15Z

Weaknesses
  • CWE-35

    Path Traversal: '.../...//'