CVE-2026-57803 in Struktur Core Plugininfo

Summary

by MITRE • 07/13/2026

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Struktur Core struktur-core allows PHP Local File Inclusion.This issue affects Struktur Core: from n/a through <= 2.5.1.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/13/2026

The vulnerability described represents a critical improper control of filename for include/require statements in PHP applications, commonly known as PHP Remote File Inclusion or Local File Inclusion (LFI/RFI) vulnerabilities. This weakness occurs when an application allows user input to influence the file inclusion mechanism without proper validation or sanitization, creating opportunities for attackers to execute arbitrary code or access sensitive files on the server. The specific instance affects Select-Themes Struktur Core struktur-core version 2.5.1 and earlier versions, indicating a widespread issue within this content management system component. This vulnerability type falls under CWE-98 which specifically addresses improper control of filename for include/require statements in PHP programs.

The technical flaw manifests when the application accepts user-controllable parameters that are directly passed to PHP's include or require functions without adequate sanitization. In the context of Struktur Core, this likely occurs through parameters such as template paths, module names, or configuration file references where attacker-controlled input can influence which files are included during script execution. When an attacker can manipulate these parameters, they may be able to include local files on the server, potentially leading to code execution, data exposure, or system compromise. The vulnerability enables attackers to leverage the PHP include mechanism for unauthorized access to sensitive server resources and could facilitate further exploitation through the inclusion of malicious payloads.

The operational impact of this vulnerability is severe as it provides attackers with multiple attack vectors for compromising the affected system. Successful exploitation can result in unauthorized code execution, allowing attackers to gain full control over the web application server or potentially escalate privileges to the underlying operating system. The vulnerability also enables data exfiltration where sensitive information such as database credentials, configuration files, or user data can be accessed through file inclusion techniques. Additionally, this weakness could serve as a stepping stone for more sophisticated attacks including privilege escalation, lateral movement within networks, or persistent backdoor installation, making it particularly dangerous in enterprise environments where the application may have access to critical systems and data.

Mitigation strategies should focus on implementing proper input validation and sanitization mechanisms that prevent user-controlled data from influencing file inclusion operations. The primary defense involves eliminating direct user input from include/require statements by using whitelisting approaches or predefined configuration values instead of dynamic parameters. Applications should employ strict parameter validation, implement proper access controls for file operations, and utilize secure coding practices such as the principle of least privilege when handling file operations. Additionally, disabling remote file inclusion features in PHP configurations through settings like allow_url_include = Off can significantly reduce attack surface. Organizations should also implement web application firewalls to detect and block suspicious include patterns, conduct regular security code reviews, and maintain up-to-date software versions to prevent exploitation of known vulnerabilities. This vulnerability aligns with ATT&CK technique T1505.003 which covers server-side include attacks, emphasizing the need for robust input validation and secure file handling practices in web applications.

Responsible

Patchstack

Reservation

06/25/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Interested in the pricing of exploits?

See the underground prices here!