{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67936", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T09:59:55.701Z", "datePublished": "2026-01-08T09:17:49.863Z", "dateUpdated": "2026-04-28T19:26:48.530Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "curly", "product": "Curly", "vendor": "Mikado-Themes", "versions": [{"changes": [{"at": "3.3", "status": "unaffected"}], "lessThanOrEqual": "3.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:08.334Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.<p>This issue affects Curly: from n/a through < 3.3.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.203Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/curly/vulnerability/wordpress-curly-theme-3-3-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Curly theme < 3.3 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T18:39:39.511618Z", "id": "CVE-2025-67936", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T19:26:48.530Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67936", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T09:59:55.701Z", "datePublished": "2026-01-08T09:17:49.863Z", "dateUpdated": "2026-04-28T19:26:48.530Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "curly", "product": "Curly", "vendor": "Mikado-Themes", "versions": [{"changes": [{"at": "3.3", "status": "unaffected"}], "lessThanOrEqual": "3.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:02:08.334Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.<p>This issue affects Curly: from n/a through < 3.3.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.203Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/curly/vulnerability/wordpress-curly-theme-3-3-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Curly theme < 3.3 - Local File Inclusion vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67936", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-08T18:39:39.511618Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T18:39:22.940Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qodeinteractive:curly:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "9A882FBA-F99A-4655-A4A1-AC460EE4BA34", "versionEndExcluding": "3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3."}], "id": "CVE-2025-67936", "lastModified": "2026-02-03T19:16:14.787", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-08T10:15:52.810", "references": [{"source": "audit@patchstack.com", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/Wordpress/Theme/curly/vulnerability/wordpress-curly-theme-3-3-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-27T21:42:44.818960+00:00", "value": {"mitigation_remediation": ["Upgrade the Curly theme to version\u202f3.3 or newer, which removes the insecure include logic.", "If an upgrade is not immediately possible, disable any theme functionality that allows arbitrary file paths or remove the include statements that reference user\u2011controlled input.", "Configure PHP to set allow_url_include to Off and, if applicable, apply open_basedir restrictions to prevent access to sensitive directories.", "Continuously monitor web application logs for abnormal attempts to include local files and enforce strict input validation on any theme\u2011related parameters."], "summary": {"action": "Apply update", "impact": "Local File Inclusion (Potential Remote Code Execution)"}, "threat_synthesis": {"affected_systems": "WordPress sites adopting the Curly theme from any unreleased revision up to, but not including, version\u202f3.3 are affected. This includes any installation where the theme\u2019s include logic is reachable, typically through theme\u2011specific widgets or page templates.", "description_and_impact": "A flaw exists in how the Mikado-Themes Curly WordPress theme processes file names for PHP include/require calls, allowing attackers to point the theme at arbitrary local files. If an attacker can specify a file that contains PHP code, that code can be executed on the server, leading to full remote control of the site. The weakness is a classic Local File Inclusion issue classified as CWE\u201198.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 8.1, indicating high severity. The EPSS score is less than 1\u202f%, suggesting exploitation is currently rare, and the issue is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local file inclusion via crafted theme requests; the attacker must have the ability to influence the include path, which could be achieved through the theme\u2019s front\u2011end controls or by manipulating query parameters. Successful exploitation would enable reading sensitive files or executing arbitrary PHP to gain full compromise of the WordPress instance."}}}}, "created": "2026-01-09T13:25:01.243115+00:00", "updated": "2026-04-27T21:45:14.537480+00:00", "vendors": ["mikado-themes", "mikado-themes$PRODUCT$curly", "wordpress", "wordpress$PRODUCT$wordpress"]}