CVE-2026-32505
Local File Inclusion in CreativeWS Kiddy <= 2.0.8 Allows Code Execution
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| creativews | kiddy | to 2.0.8 (inc) |
| creativews | kiddy | From 1.0 (inc) to 2.0.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Local File Inclusion (LFI) vulnerability in the WordPress Kiddy Theme versions up to 2.0.8 allows unauthenticated attackers to access sensitive files, including those containing database credentials. This exposure can lead to a complete database takeover depending on the site's configuration.
Such unauthorized access and potential data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information. Failure to secure these files and prevent unauthorized access could lead to violations of these regulations.
Therefore, this vulnerability poses a significant risk to compliance by potentially exposing sensitive data that these regulations mandate to protect.
Can you explain this vulnerability to me?
CVE-2026-32505 is a Local File Inclusion (LFI) vulnerability in the WordPress Kiddy Theme versions up to 2.0.8. It allows unauthenticated attackers to include and display local files from the target website by exploiting improper control of filenames in PHP include/require statements.
This vulnerability is classified under the OWASP Top 10 category A3: Injection and was reported by Phat RiO. It was patched in version 2.0.9 of the Kiddy Theme.
How can this vulnerability impact me? :
Exploiting this vulnerability can allow attackers to access and display sensitive local files on the affected website without authentication.
- Exposure of sensitive files such as those containing database credentials.
- Potential complete database takeover depending on the site's configuration.
This can lead to severe security breaches, data loss, and unauthorized control over the website.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows unauthenticated attackers to include and display local files from the target website by exploiting a Local File Inclusion (LFI) flaw in the Kiddy Theme up to version 2.0.8.
To detect this vulnerability on your system, you can monitor web server logs for suspicious requests attempting to include local files via URL parameters related to include or require statements.
Common detection commands or methods include searching for URL patterns that try to access sensitive files such as /etc/passwd or configuration files through HTTP requests.
- Use grep or similar tools on web server access logs to find requests containing suspicious file paths, for example: grep -i 'include' /var/log/apache2/access.log
- Look for requests with directory traversal sequences like '../' which may indicate attempts to exploit LFI.
- Use web vulnerability scanners or automated tools that can test for Local File Inclusion vulnerabilities on the affected endpoints.
What immediate steps should I take to mitigate this vulnerability?
The most immediate and effective mitigation step is to update the Kiddy Theme to version 2.0.9 or later, where this vulnerability has been patched.
Until you can update, apply available automated mitigation rules provided by Patchstack to block attacks exploiting this vulnerability.
Additionally, monitor your web server logs for suspicious activity and restrict access to sensitive files on the server to minimize potential damage.