CVE-2026-39613
Published: 08 April 2026
Summary
CVE-2026-39613 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-39613 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion (CWE-98), in the kutethemes Boutique (kute-boutique) WordPress theme. This flaw affects all versions of the Boutique theme up to and including 2.3.3, with no lower bound specified.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network by low-privileged authenticated users (PR:L) without user interaction, though it requires high attack complexity (AC:H). Successful exploitation allows attackers to achieve high impacts on confidentiality, integrity, and availability, typically through local file inclusion to access or manipulate sensitive files on the server.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/kute-boutique/vulnerability/wordpress-boutique-theme-2-3-3-local-file-inclusion-vulnerability?_s_id=cve, which covers the Local File Inclusion issue in the WordPress Boutique theme version 2.3.3.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20249
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Boutique kute-boutique allows PHP Local File Inclusion.This issue affects Boutique: from n/a through <= 2.3.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The LFI vulnerability in a public-facing WordPress theme directly enables exploitation of the web application (T1190) and facilitates access to sensitive local server files (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the LFI vulnerability by identifying, prioritizing, and patching the improper filename control in the Boutique WordPress theme up to version 2.3.3.
Information input validation enforces checks on filenames used in PHP include/require statements, preventing arbitrary local file inclusion by low-privileged users.
Configuration settings secure PHP environments by restricting file access paths (e.g., open_basedir) and disabling features like allow_url_include, mitigating LFI exploitation.