{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27075", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:51.341Z", "datePublished": "2026-03-25T16:14:54.455Z", "dateUpdated": "2026-03-25T16:14:54.455Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "belfort", "product": "Belfort", "vendor": "Mikado-Themes", "versions": [{"lessThanOrEqual": "<= 1.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:33.752Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Belfort belfort allows PHP Local File Inclusion.<p>This issue affects Belfort: from n/a through <= 1.0.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Belfort belfort allows PHP Local File Inclusion.This issue affects Belfort: from n/a through <= 1.0."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:54.455Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/belfort/vulnerability/wordpress-belfort-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Belfort theme <= 1.0 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Belfort belfort allows PHP Local File Inclusion.This issue affects Belfort: from n/a through <= 1.0."}], "id": "CVE-2026-27075", "lastModified": "2026-03-25T17:16:54.923", "metrics": {}, "published": "2026-03-25T17:16:54.923", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/belfort/vulnerability/wordpress-belfort-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:44:00.724288+00:00", "value": {"mitigation_remediation": ["Update the Belfort theme to the latest version that removes the LFI flaw, or discontinue use if no update is available.", "If an update is not feasible, remove the theme from the site to eliminate the attack surface.", "Configure web server file permissions to restrict access to files that should not be included, preventing LFI exploitation.", "Deploy a web application firewall or security plugin that blocks include/require path traversal patterns.", "Monitor web server logs for anomalous file inclusion attempts and respond to any suspicious activity promptly."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "WordPress users installing the Belfort theme from any version up to and including 1.0 are affected. The issue applies to all releases prior to the next major update, so any site running the theme in that range is vulnerable.", "description_and_impact": "The vulnerability is caused by improper control of the filename in a PHP include/require statement, allowing a local file inclusion (LFI) in the Mikado-Themes Belfort theme. This flaw could let an attacker read sensitive files or, if arbitrary code can be executed from the included files, potentially run malware or compromise the system. The weakness is classified as CWE\u201198.", "risk_and_exploitability": "No CVSS or EPSS metrics are provided, and the vulnerability is not listed in the CISA KEV catalog, indicating limited publicly available exploitation data. The most likely attack vector involves the attacker sending a specially crafted request that manipulates the include path to read arbitrary files from the web server. Since the flaw relies on a local file operation, it would be easier to exploit in a trusted environment or if file permissions are misconfigured."}}}}, "created": "2026-03-25T21:44:02.225863+00:00", "updated": "2026-03-25T21:44:02.225887+00:00", "vendors": []}