{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39538", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:15.448Z", "datePublished": "2026-04-08T08:30:17.109Z", "dateUpdated": "2026-04-08T08:30:17.109Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "mikado-core", "product": "Mikado Core", "vendor": "Mikado-Themes", "versions": [{"changes": [{"at": "2.2.2", "status": "unaffected"}], "lessThanOrEqual": "1.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:57.242Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Mikado Core mikado-core allows PHP Local File Inclusion.<p>This issue affects Mikado Core: from n/a through <= 1.6.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Mikado Core mikado-core allows PHP Local File Inclusion.This issue affects Mikado Core: from n/a through <= 1.6."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:17.109Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/mikado-core/vulnerability/wordpress-mikado-core-plugin-1-6-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Mikado Core plugin <= 1.6 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Mikado Core mikado-core allows PHP Local File Inclusion.This issue affects Mikado Core: from n/a through <= 1.6."}], "id": "CVE-2026-39538", "lastModified": "2026-04-08T09:16:26.490", "metrics": {}, "published": "2026-04-08T09:16:26.490", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/mikado-core/vulnerability/wordpress-mikado-core-plugin-1-6-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-08T09:52:32.967188+00:00", "value": {"mitigation_remediation": ["Update Mikado Core to the latest release (1.7 or later), which removes the vulnerable include logic.", "If an immediate update is not possible, restrict file inclusion parameters and validate all user-supplied paths to prevent arbitrary file access.", "Review the plugin\u2019s configuration to ensure no unintended file paths are exposed through URLs or form fields.", "Verify that the web server disallows execution of included scripts from directories accessible to the plugin."], "summary": {"action": "Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "Mikado-Core by Mikado-Themes is affected in all releases from the first available version through 1.6 inclusive. Users running Mikado Core 1.6 or earlier are at risk and should verify the plugin version in use.", "description_and_impact": "The vulnerability allows an attacker to manipulate the filename used in a PHP include/require statement. By supplying a crafted input, the plugin can include arbitrary local files, potentially exposing sensitive configuration files or application logic. Although the description does not detail execution of arbitrary code, the ability to read or execute local files can lead to privilege escalation or remote code execution if the included files contain malicious content.", "risk_and_exploitability": "This local file inclusion is considered a moderate to high risk, especially if the attacker can influence the file path and read critical data. No EPSS score is reported, and the vulnerability is not listed in the CISA KEV catalog, indicating lower documented exploitation activity. The attack vector is inferred to be a web-based request targeting the plugin\u2019s input handling mechanism, which, if not validated, allows the inclusion of unintended files."}}}}, "created": "2026-04-08T19:42:40.202259+00:00", "updated": "2026-04-08T19:42:40.202290+00:00", "vendors": []}