EUVD-2026-20193
GHSA-c523-5gm5-4mr8
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Mikado Core mikado-core allows PHP Local File Inclusion.This issue affects Mikado Core: from n/a through <= 1.6.
AnalysisAI
Local File Inclusion in Mikado Core WordPress plugin (≤1.6) allows authenticated remote attackers to read arbitrary files on the server via improper filename control in PHP include/require statements. Despite a 7.5 CVSS score, real-world risk is limited by low-privilege authentication requirement (PR:L) and high attack complexity (AC:H). …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all WordPress installations using Mikado Core plugin and document current version numbers. Within 7 days: Disable or remove Mikado Core plugin from all affected WordPress sites until a patched version is available; if plugin functionality is critical, restrict user registrations and audit existing user accounts for suspicious activity. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today