CVE-2026-57795 in Kitchor Plugininfo

Summary

by MITRE • 07/13/2026

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themelexus Kitchor kitchor allows PHP Local File Inclusion.This issue affects Kitchor: from n/a through <= 1.4.3.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/13/2026

The PHP Remote File Inclusion vulnerability identified in themelexus Kitchor kitchor represents a critical security flaw that enables attackers to execute arbitrary PHP code through manipulated file inclusion parameters. This vulnerability falls under the CWE-88 category, specifically addressing improper control of filename for include/require statements within PHP applications. The flaw manifests when the application fails to properly validate or sanitize user input before using it in dynamic include or require operations, creating an avenue for malicious actors to inject and execute unauthorized code.

The technical implementation of this vulnerability occurs when the kitchor themelexus plugin accepts user-supplied parameters that are directly incorporated into PHP include statements without adequate sanitization. Attackers can exploit this by manipulating URL parameters or POST data to reference remote files or local system files, potentially leading to full system compromise. The vulnerability affects versions from n/a through 1.4.3, indicating that all installations within this range remain susceptible to exploitation. This type of vulnerability is particularly dangerous because it allows for arbitrary code execution, which can result in complete server takeover, data exfiltration, or further lateral movement within a network environment.

The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with the capability to escalate privileges and access sensitive system resources. When exploited successfully, the vulnerability enables unauthorized users to read arbitrary files on the server, execute malicious commands, and potentially establish persistent backdoors. This poses significant risks to organizations relying on vulnerable WordPress installations, as the attack surface expands to include not just the compromised plugin but potentially the entire web server infrastructure. The vulnerability aligns with ATT&CK technique T1190, which describes the use of remote access tools and exploitation of web application vulnerabilities for unauthorized system access.

Mitigation strategies should focus on immediate patching of affected versions, implementation of input validation controls, and deployment of web application firewalls to monitor for suspicious inclusion patterns. Organizations must ensure that all user inputs are properly sanitized before being used in include/require operations, implementing strict whitelisting mechanisms for file paths. Additionally, disabling remote file inclusion capabilities through php.ini configuration settings can provide an additional layer of protection. The remediation process should also include comprehensive security audits to identify other potential injection points and ensure proper access controls are implemented throughout the application architecture.

Responsible

Patchstack

Reservation

06/25/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!