CVE-2026-57795

themelexus · Kitchor

The Kitchor WordPress theme contains a Local File Inclusion (LFI) vulnerability due to improper control of filenames in include/require statements, allowing unauthorized file access.

Executive summary

A Local File Inclusion vulnerability in the Kitchor WordPress theme allows authenticated attackers to read sensitive files on the server, posing a high security risk.

Vulnerability

This is a Local File Inclusion (LFI) flaw (CWE-98) occurring within the theme's file handling logic. The vulnerability requires the attacker to have low-level privileges (authenticated) to trigger the malicious inclusion.

Business impact

Successful exploitation allows an attacker to read arbitrary files from the web server, which may contain database credentials or sensitive site configuration data. The CVSS score of 7.5 confirms the high risk to business operations, as it facilitates the potential for further unauthorized access or total site compromise.

Remediation

Immediate Action: As no patch is currently available, administrators should immediately deactivate the Kitchor theme or switch to a secure alternative until the vendor provides a remediation.

Proactive Monitoring: Inspect application access logs for unusual requests containing directory traversal strings targeting the theme's directory.

Compensating Controls: Configure a Web Application Firewall (WAF) to inspect and filter incoming traffic for common LFI signatures and directory traversal attempts.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The risk posed by this LFI vulnerability is significant. Administrators must treat this as a high-priority item by deactivating the affected theme immediately. Constant vigilance and strict adherence to the principle of least privilege for authenticated users are recommended to mitigate the exposure until a vendor-supplied update is verified.