CVE-2026-27079
Published: 25 March 2026
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Amfissa amfissa allows PHP Local File Inclusion.This issue affects Amfissa: from n/a through <= 1.1.
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the PHP Local File Inclusion flaw in the vulnerable Amfissa WordPress theme by identifying, patching, and deploying fixes.
Validates user-supplied filenames in PHP include/require statements to block malicious local file paths exploited in this vulnerability.
Restricts information inputs to whitelisted filenames or paths, limiting the ability to specify arbitrary local files for inclusion.
Security SummaryAI
CVE-2026-27079 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, affecting the Amfissa WordPress theme developed by Mikado-Themes. The issue impacts all versions from n/a through 1.1, stemming from CWE-98.
Remote unauthenticated attackers (PR:N) can exploit this vulnerability over the network (AV:N) with high attack complexity (AC:H) and no user interaction (UI:N), potentially achieving high confidentiality, integrity, and availability impacts (C:H/I:H/A:H) in an unchanged scope (S:U). The CVSS v3.1 base score is 8.1, indicating significant risk of local file disclosure or code execution on the targeted system.
Patchstack's advisory at https://patchstack.com/database/Wordpress/Theme/amfissa/vulnerability/wordpress-amfissa-theme-1-1-local-file-inclusion-vulnerability?_s_id=cve details the vulnerability in the WordPress Amfissa theme version 1.1.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI vulnerability in public-facing WordPress theme allows unauthenticated remote exploitation for local file inclusion and execution, directly mapping to Exploit Public-Facing Application.