{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39611", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:55.140Z", "datePublished": "2026-04-08T08:30:23.760Z", "dateUpdated": "2026-04-10T16:27:08.158Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "kuteshop", "product": "KuteShop", "vendor": "kutethemes", "versions": [{"lessThanOrEqual": "4.2.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:37.382Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes KuteShop kuteshop allows PHP Local File Inclusion.<p>This issue affects KuteShop: from n/a through <= 4.2.9.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes KuteShop kuteshop allows PHP Local File Inclusion.This issue affects KuteShop: from n/a through <= 4.2.9."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:23.760Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/kuteshop/vulnerability/wordpress-kuteshop-theme-4-2-9-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress KuteShop theme <= 4.2.9 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T16:27:01.126012Z", "id": "CVE-2026-39611", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T16:27:08.158Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39611", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-10T16:27:01.126012Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T16:26:51.200Z"}}], "cna": {"title": "WordPress KuteShop theme <= 4.2.9 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "affected": [{"vendor": "kutethemes", "product": "KuteShop", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "4.2.9"}], "packageName": "kuteshop", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:37.382Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/kuteshop/vulnerability/wordpress-kuteshop-theme-4-2-9-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes KuteShop kuteshop allows PHP Local File Inclusion.This issue affects KuteShop: from n/a through <= 4.2.9.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes KuteShop kuteshop allows PHP Local File Inclusion.<p>This issue affects KuteShop: from n/a through <= 4.2.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:23.760Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39611", "state": "PUBLISHED", "dateUpdated": "2026-04-10T16:27:08.158Z", "dateReserved": "2026-04-07T10:48:55.140Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:23.760Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes KuteShop kuteshop allows PHP Local File Inclusion.This issue affects KuteShop: from n/a through <= 4.2.9."}], "id": "CVE-2026-39611", "lastModified": "2026-04-10T17:17:11.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:30.580", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/kuteshop/vulnerability/wordpress-kuteshop-theme-4-2-9-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.2.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "KuteShop", "source": "cna", "vendor": "kutethemes"}, "product": "kuteshop", "vendor": "kutethemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:14:32.390558+00:00", "value": {"mitigation_remediation": ["Apply the latest KuteShop theme version, ensuring it is newer than 4.2.9", "If an immediate upgrade is not possible, remove or disable the KuteShop theme until a patched version is available", "Verify that the theme\u2019s include statements are not exposed to user-supplied input by reviewing the code or consulting the vendor\u2019s documentation", "Ensure the web server\u2019s file permissions are restrictive so that included files cannot expose privileged data"], "summary": {"action": "Patch Immediately", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the KuteShop theme installed and are running a version equal to or older than 4.2.9 are susceptible. Any such installation, regardless of other plugins or themes, must be considered at risk until the theme is upgraded or the flaw is otherwise mitigated.", "description_and_impact": "This vulnerability arises from improper handling of filenames used in PHP include/require calls within the KuteShop theme. An attacker can manipulate a request to cause the theme to include an arbitrary file from the local filesystem, potentially exposing sensitive configuration data or enabling further exploitation. The weakness is classified as CWE\u201198, which affects confidentiality and integrity of the WordPress installation.", "risk_and_exploitability": "The flaw allows local file inclusion and can be triggered from the public-facing side of the site where the theme is active. No CVSS or EPSS score is publicly available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves crafting a GET or POST request that manipulates the file path parameter within the theme\u2019s PHP code, requiring only access to the WordPress site\u2019s web interface."}}}}, "created": "2026-04-08T19:29:49.019967+00:00", "updated": "2026-04-08T19:42:06.275397+00:00", "vendors": ["kutethemes", "kutethemes$PRODUCT$kuteshop", "wordpress", "wordpress$PRODUCT$wordpress"]}