{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27341", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-19T09:51:35.297Z", "datePublished": "2026-03-05T05:53:52.713Z", "dateUpdated": "2026-04-28T16:15:02.083Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "topscorer", "product": "TopScorer - Sports WordPress Theme", "vendor": "Mikado-Themes", "versions": [{"lessThanOrEqual": "1.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:30.541Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes TopScorer - Sports WordPress Theme topscorer allows PHP Local File Inclusion.<p>This issue affects TopScorer - Sports WordPress Theme: from n/a through <= 1.2.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes TopScorer - Sports WordPress Theme topscorer allows PHP Local File Inclusion.This issue affects TopScorer - Sports WordPress Theme: from n/a through <= 1.2."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:02.083Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/topscorer/vulnerability/wordpress-topscorer-sports-wordpress-theme-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress TopScorer - Sports WordPress Theme theme <= 1.2 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T19:10:40.462347Z", "id": "CVE-2026-27341", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:00:14.278Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27341", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T19:10:40.462347Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T19:10:32.654Z"}}], "cna": {"title": "WordPress TopScorer - Sports WordPress Theme theme <= 1.2 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mikado-Themes", "product": "TopScorer - Sports WordPress Theme", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.2"}], "packageName": "topscorer", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:30.541Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/topscorer/vulnerability/wordpress-topscorer-sports-wordpress-theme-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes TopScorer - Sports WordPress Theme topscorer allows PHP Local File Inclusion.This issue affects TopScorer - Sports WordPress Theme: from n/a through <= 1.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes TopScorer - Sports WordPress Theme topscorer allows PHP Local File Inclusion.<p>This issue affects TopScorer - Sports WordPress Theme: from n/a through <= 1.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:02.083Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27341", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:15:02.083Z", "dateReserved": "2026-02-19T09:51:35.297Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:53:52.713Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes TopScorer - Sports WordPress Theme topscorer allows PHP Local File Inclusion.This issue affects TopScorer - Sports WordPress Theme: from n/a through <= 1.2."}, {"lang": "es", "value": "Control Inadecuado del Nombre de Fichero para la Sentencia Include/Require en Programa PHP (vulnerabilidad de 'inclusi\u00f3n remota de ficheros de PHP') en el tema de WordPress Mikado-Themes TopScorer - Sports topscorer permite la inclusi\u00f3n local de ficheros de PHP. Este problema afecta al tema de WordPress TopScorer - Sports: desde n/a hasta &lt;= 1.2."}], "id": "CVE-2026-27341", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:24.760", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/topscorer/vulnerability/wordpress-topscorer-sports-wordpress-theme-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "TopScorer - Sports WordPress Theme", "source": "cna", "vendor": "Mikado-Themes"}, "product": "topscorer_-_sports_wordpress_theme", "vendor": "mikado-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T23:40:55.411107+00:00", "value": {"mitigation_remediation": ["Update the TopScorer theme to a version newer than 1.2 where the LFI flaw is corrected.", "If an update is not possible, deactivate or uninstall the theme to eliminate the vulnerability.", "Modify the theme\u2019s file inclusion logic or implement strict input validation to reject anomalous paths.", "Keep the WordPress core, plugins, and all other themes up to date to reduce overall risk."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion enabling potential code execution or sensitive data disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the WordPress TopScorer theme developed by Mikado\u2011Themes, for all versions from the initial release through version 1.2. Systems running any of these versions are susceptible.", "description_and_impact": "Improper control of filenames used in PHP include/require statements within the Mikado\u2011Themes TopScorer theme allows attackers to perform local file inclusion. By manipulating the include path, an adversary can read arbitrary files on the server or trigger code execution if malicious files are included. This weakness can expose confidential data, compromise site integrity, or allow arbitrary code to run, thereby jeopardizing confidentiality, integrity, and availability of the affected WordPress installation.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity. The EPSS score is below 1%, suggesting a low yet non\u2011zero likelihood that the flaw is currently being exploited in the wild. The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. While the description indicates a local file inclusion, the typical exploitation path would involve a remote attacker sending a crafted HTTP request to the website, exploiting the theme\u2019s insecure file handling. Pre\u2011conditions include the theme being active and the attacker having a way to influence the include path, such as a vulnerable query parameter or file upload."}}}}, "created": "2026-03-06T15:13:35.425015+00:00", "updated": "2026-04-15T23:45:05.926093+00:00", "vendors": ["mikado-themes", "mikado-themes$PRODUCT$topscorer_-_sports_wordpress_theme", "wordpress", "wordpress$PRODUCT$wordpress"]}