Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Belfort belfort allows PHP Local File Inclusion.This issue affects Belfort: from n/a through <= 1.0.
AnalysisAI
A Local File Inclusion (LFI) vulnerability exists in the Mikado-Themes Belfort WordPress theme version 1.0 and earlier, allowing attackers to include and execute arbitrary local files through improper control of filename parameters in PHP include/require statements. While classified as a Remote File Inclusion vulnerability in the CVE description, the actual impact is Local File Inclusion, enabling information disclosure through the reading of sensitive files such as configuration files, database credentials, and source code. No CVSS score, EPSS data, or KEV status is currently available, but the vulnerability's nature suggests moderate to high real-world risk given the prevalence of WordPress themes and the ease of exploitation.
Technical ContextAI
This vulnerability stems from CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program), a fundamental input validation flaw in PHP applications. The affected product, Mikado-Themes Belfort (identified via CPE cpe:2.3:a:mikado-themes:belfort:*:*:*:*:*:*:*:*), likely accepts user-controlled input through GET, POST, or other parameters that are directly passed to PHP's include(), require(), include_once(), or require_once() functions without adequate sanitization or validation. Attackers can exploit this by manipulating file path parameters to reference local files on the server (such as /etc/passwd on Linux systems or configuration files in the WordPress directory structure), causing the PHP interpreter to read and potentially execute these files. The vulnerability affects the theme across all versions through 1.0, suggesting it may have been present since the theme's initial release.
RemediationAI
The primary remediation step is to immediately deactivate and remove the Mikado-Themes Belfort theme from affected WordPress installations, replacing it with an alternative, actively maintained WordPress theme from a reputable source. If switching themes is not immediately feasible, implement a temporary Web Application Firewall (WAF) rule on your reverse proxy or WordPress security plugin to block requests containing suspicious file path traversal patterns (such as sequences containing ../, /etc/, or other path traversal indicators) in all query parameters and POST bodies. Additionally, implement file access restrictions at the web server level (Apache .htaccess or Nginx configuration) to prevent direct access to sensitive WordPress configuration files (wp-config.php). Enable WordPress file integrity monitoring to detect unauthorized file inclusions or modifications. Until the theme is removed, ensure WordPress and all plugins are fully patched, and apply principle of least privilege to file system permissions. Contact Mikado-Themes through their website (patchstack.com documentation) or directly to inquire about a security patch; if no patch is forthcoming, permanent removal of the theme is the only reliable solution.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-98 – PHP Remote File Inclusion
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15777