{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39613", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:27.973Z", "datePublished": "2026-04-08T08:30:24.110Z", "dateUpdated": "2026-04-08T08:30:24.110Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "kute-boutique", "product": "Boutique", "vendor": "kutethemes", "versions": [{"lessThanOrEqual": "2.3.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:37.622Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Boutique kute-boutique allows PHP Local File Inclusion.<p>This issue affects Boutique: from n/a through <= 2.3.3.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Boutique kute-boutique allows PHP Local File Inclusion.This issue affects Boutique: from n/a through <= 2.3.3."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:24.110Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/kute-boutique/vulnerability/wordpress-boutique-theme-2-3-3-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Boutique theme <= 2.3.3 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Boutique kute-boutique allows PHP Local File Inclusion.This issue affects Boutique: from n/a through <= 2.3.3."}], "id": "CVE-2026-39613", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:31.050", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/kute-boutique/vulnerability/wordpress-boutique-theme-2-3-3-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.3.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Boutique", "source": "cna", "vendor": "kutethemes"}, "product": "boutique", "vendor": "kutethemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:42:25.954333+00:00", "value": {"mitigation_remediation": ["Update the boutique theme to version 2.3.4 or later, applying any vendor\u2011supplied security patches", "Disable or remove the theme if an immediate update is not possible, to prevent exploitation", "Ensure the theme directory and included files have strict file permissions so that sensitive data cannot be read by the web server"], "summary": {"action": "Apply Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "WordPress sites deploying the kutethemes Boutique theme, version 2.3.3 or earlier. The issue applies to all releases from the initial launch up to and including 2.3.3. Users of newer versions are not affected.", "description_and_impact": "The vulnerability stems from improper control of filenames used in PHP include/require statements within the WordPress Boutique theme. This flaw allows an attacker to cause the application to include arbitrary local files, potentially exposing sensitive configuration files or logs. If the included files contain executable code, an attacker could achieve remote code execution, giving full control over the compromised site.", "risk_and_exploitability": "No CVSS score is available and the EPSS value is missing, but the flaw is severe due to its potential to lead to arbitrary code execution. The vulnerability can be exploited remotely by manipulating URLs or input that feeds the filename variable, making it accessible to anyone hosting the affected theme. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog, but the lack of a public exploit does not diminish the risk, as the attack path is straightforward and requires no special conditions."}}}}, "created": "2026-04-08T19:29:46.984797+00:00", "updated": "2026-04-08T19:42:03.935590+00:00", "vendors": ["kutethemes", "kutethemes$PRODUCT$boutique", "wordpress", "wordpress$PRODUCT$wordpress"]}