CVE-2026-32505
Received Received - Intake
Local File Inclusion in CreativeWS Kiddy <= 2.0.8 Allows Code Execution

Publication date: 2026-03-25

Last updated on: 2026-03-26

Assigner: Patchstack

Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS Kiddy kiddy allows PHP Local File Inclusion.This issue affects Kiddy: from n/a through <= 2.0.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32505
EUVD
EUVD-2026-15859
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
creativews kiddy to 2.0.8 (inc)
creativews kiddy From 1.0 (inc) to 2.0.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32505 is a Local File Inclusion (LFI) vulnerability in the WordPress Kiddy Theme versions up to 2.0.8. It allows unauthenticated attackers to include and display local files from the target website by exploiting improper control of filenames in PHP include/require statements.

This vulnerability is classified under the OWASP Top 10 category A3: Injection and was reported by Phat RiO. It was patched in version 2.0.9 of the Kiddy Theme.

Impact Analysis

Exploiting this vulnerability can allow attackers to access and display sensitive local files on the affected website without authentication.

  • Exposure of sensitive files such as those containing database credentials.
  • Potential complete database takeover depending on the site's configuration.

This can lead to severe security breaches, data loss, and unauthorized control over the website.

Detection Guidance

This vulnerability allows unauthenticated attackers to include and display local files from the target website by exploiting a Local File Inclusion (LFI) flaw in the Kiddy Theme up to version 2.0.8.

To detect this vulnerability on your system, you can monitor web server logs for suspicious requests attempting to include local files via URL parameters related to include or require statements.

Common detection commands or methods include searching for URL patterns that try to access sensitive files such as /etc/passwd or configuration files through HTTP requests.

  • Use grep or similar tools on web server access logs to find requests containing suspicious file paths, for example: grep -i 'include' /var/log/apache2/access.log
  • Look for requests with directory traversal sequences like '../' which may indicate attempts to exploit LFI.
  • Use web vulnerability scanners or automated tools that can test for Local File Inclusion vulnerabilities on the affected endpoints.
Mitigation Strategies

The most immediate and effective mitigation step is to update the Kiddy Theme to version 2.0.9 or later, where this vulnerability has been patched.

Until you can update, apply available automated mitigation rules provided by Patchstack to block attacks exploiting this vulnerability.

Additionally, monitor your web server logs for suspicious activity and restrict access to sensitive files on the server to minimize potential damage.

Compliance Impact

The Local File Inclusion (LFI) vulnerability in the WordPress Kiddy Theme versions up to 2.0.8 allows unauthenticated attackers to access sensitive files, including those containing database credentials. This exposure can lead to a complete database takeover depending on the site's configuration.

Such unauthorized access and potential data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information. Failure to secure these files and prevent unauthorized access could lead to violations of these regulations.

Therefore, this vulnerability poses a significant risk to compliance by potentially exposing sensitive data that these regulations mandate to protect.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32505. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart