CVE-2026-25382

HighUpdated

Published: 25 March 2026

Published

25 March 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 37.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25382 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, directly addressing this LFI vulnerability by applying the patch released in IdealAuto version 3.8.6.

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of information inputs, preventing attackers from supplying malicious filenames to the PHP include/require statement exploited in this CVE.

CM-6 Configuration Settings partial match

prevent

CM-6 enforces secure configuration settings such as PHP open_basedir restrictions, limiting the scope of local file inclusion even if input validation fails.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Unauthenticated remote LFI vulnerability in public-facing WordPress theme enables T1190 exploitation and facilitates collection of sensitive local files including potential credentials (T1005, T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes IdealAuto idealauto allows PHP Local File Inclusion.This issue affects IdealAuto: from n/a through < 3.8.6.

Deeper analysisAI

CVE-2026-25382 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified under CWE-98 and commonly known as PHP Remote File Inclusion, affecting the IdealAuto WordPress theme developed by jwsthemes. Specifically, it enables PHP Local File Inclusion in versions of IdealAuto from n/a through those prior to 3.8.6. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

Remote attackers can exploit this vulnerability over the network without requiring user privileges or interaction, though it demands high attack complexity. Successful exploitation allows inclusion of local PHP files, potentially enabling arbitrary code execution, data exfiltration, or system compromise on the targeted WordPress site running the vulnerable theme.

According to the Patchstack advisory referenced for this CVE, the vulnerability was addressed in IdealAuto version 3.8.6, recommending that users update to this or later versions to mitigate the Local File Inclusion risk.

Details

CWE(s): CWE-98

CVEs Like This One

CVE-2026-22503Shared CWE-98

CVE-2025-60056Shared CWE-98

CVE-2025-67530Shared CWE-98

CVE-2026-22364Shared CWE-98

CVE-2025-68536Shared CWE-98

CVE-2026-28059Shared CWE-98

CVE-2025-60053Shared CWE-98

CVE-2025-48330Shared CWE-98

CVE-2026-22371Shared CWE-98

CVE-2026-27996Shared CWE-98

References

https://patchstack.com/database/Wordpress/Theme/idealauto/vulnerability/wordpress-idealauto-theme-3-8-6-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com