CVE-2026-25382

High

Published: 25 March 2026

Published

25 March 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 37.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes IdealAuto idealauto allows PHP Local File Inclusion.This issue affects IdealAuto: from n/a through < 3.8.6.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, directly addressing this LFI vulnerability by applying the patch released in IdealAuto version 3.8.6.

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of information inputs, preventing attackers from supplying malicious filenames to the PHP include/require statement exploited in this CVE.

CM-6 Configuration Settings partial match

prevent

CM-6 enforces secure configuration settings such as PHP open_basedir restrictions, limiting the scope of local file inclusion even if input validation fails.

Security SummaryAI

CVE-2026-25382 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified under CWE-98 and commonly known as PHP Remote File Inclusion, affecting the IdealAuto WordPress theme developed by jwsthemes. Specifically, it enables PHP Local File Inclusion in versions of IdealAuto from n/a through those prior to 3.8.6. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

Remote attackers can exploit this vulnerability over the network without requiring user privileges or interaction, though it demands high attack complexity. Successful exploitation allows inclusion of local PHP files, potentially enabling arbitrary code execution, data exfiltration, or system compromise on the targeted WordPress site running the vulnerable theme.

According to the Patchstack advisory referenced for this CVE, the vulnerability was addressed in IdealAuto version 3.8.6, recommending that users update to this or later versions to mitigate the Local File Inclusion risk.

Details

CWE(s): CWE-98

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Unauthenticated remote LFI vulnerability in public-facing WordPress theme enables T1190 exploitation and facilitates collection of sensitive local files including potential credentials (T1005, T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/idealauto/vulnerability/wordpress-idealauto-theme-3-8-6-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com