CVE-2026-57802

Select-Themes · Struktur

The Struktur WordPress theme contains a Local File Inclusion (LFI) vulnerability due to improper handling of filename inputs in PHP include/require statements.

Executive summary

A high-severity Local File Inclusion vulnerability in the Select-Themes Struktur WordPress theme allows authenticated attackers to potentially access sensitive server files.

Vulnerability

This vulnerability involves improper control of filenames used in PHP include statements, which can be exploited by an authenticated attacker with low privileges to perform Local File Inclusion (LFI) attacks.

Business impact

Successful exploitation of this vulnerability could lead to the unauthorized disclosure of sensitive server-side information, including system configuration files or environment credentials. The CVSS score of 7.5 reflects the high impact on confidentiality and integrity, necessitating prompt mitigation to prevent potential data breaches.

Remediation

Immediate Action: As no patched version is currently available, administrators should immediately deactivate or remove the Struktur theme until the vendor releases a security update.

Proactive Monitoring: Monitor server logs for suspicious directory traversal attempts or unauthorized attempts to include sensitive PHP files.

Compensating Controls: Utilize a Web Application Firewall (WAF) to inspect incoming HTTP requests for common LFI patterns and block malicious payloads targeting the theme.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Due to the high severity and the absence of a direct patch, organizations should treat this as an urgent security requirement. Deactivating the theme is the only effective way to neutralize the risk until the vendor provides a secure version.