CVE-2026-57792 in Dør Plugininfo

Summary

by MITRE • 07/13/2026

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Dør dor allows PHP Local File Inclusion.This issue affects Dør: from n/a through <= 2.4.1.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/13/2026

The vulnerability described represents a critical improper control of filename for include/require statements in PHP applications, commonly categorized as PHP Remote File Inclusion or Local File Inclusion issues. This weakness occurs when user-supplied input is directly used in PHP's include or require functions without proper validation or sanitization, creating opportunities for attackers to execute arbitrary code or access sensitive files on the server. The specific implementation affects Mikado-Themes Dør dor theme versions through 2.4.1, where the vulnerability manifests as a local file inclusion exploit that can be leveraged by remote attackers.

The technical flaw stems from inadequate input validation mechanisms within the theme's PHP code execution flow. When the application processes user-controllable parameters that are subsequently passed to include or require statements, it fails to properly sanitize or validate these inputs before use. This allows malicious actors to inject file paths that can point to local system files or remote URLs, effectively bypassing normal access controls and potentially executing arbitrary PHP code. The vulnerability operates at the core of PHP's dynamic inclusion mechanisms where functions like include_once(), require(), or similar constructs are used without proper security checks.

From an operational impact perspective, this vulnerability creates severe risks for affected systems including unauthorized access to sensitive server files, potential execution of malicious payloads, and complete compromise of the web application environment. Attackers can exploit this weakness to read arbitrary files from the server filesystem, potentially accessing configuration files containing database credentials or other sensitive information. The local file inclusion aspect means that attackers can leverage the vulnerability to include system files or even remote PHP shells, depending on the target server configuration and available resources. This presents a significant threat vector for attackers seeking persistent access or data exfiltration from vulnerable installations.

The security implications align with CWE-98 and CWE-88 categories within the Common Weakness Enumeration framework, specifically addressing improper control of dynamic code features and improper neutralization of special elements used in os command injection contexts. The vulnerability also maps to several MITRE ATT&CK techniques including T1505.003 for Server Software Component Vulnerabilities and T1213.002 for Data from Information Repositories, highlighting the potential for both initial compromise and data access. Organizations should implement immediate mitigations including input validation, parameter sanitization, and removal of user-controllable parameters from include/require statements. Recommended defenses include implementing allowlists for acceptable file paths, using absolute paths instead of relative ones, and ensuring proper access controls are enforced through web server configurations and PHP security settings.

The vulnerability demonstrates the critical importance of secure coding practices in PHP applications, particularly around dynamic code execution. Modern secure development practices require strict validation of all user inputs before use in include/require operations, and the implementation of proper input sanitization routines to prevent injection attacks. Regular security audits and vulnerability scanning should be conducted to identify similar issues across all web application components. System administrators should also monitor for exploitation attempts through log analysis and implement web application firewalls to detect and block malicious requests targeting known vulnerable patterns in PHP applications. The affected Mikado-Themes Dør dor versions should be immediately updated to patched releases or the theme completely removed from vulnerable installations until proper security measures can be implemented.

Responsible

Patchstack

Reservation

06/25/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!