CVE-2026-27047 Overview
CVE-2026-27047 is a PHP Local File Inclusion (LFI) vulnerability affecting the Curly Core WordPress plugin developed by Mikado-Themes. The vulnerability stems from improper control of filename parameters used in PHP include/require statements, allowing attackers to include arbitrary local files from the server filesystem. This can lead to sensitive information disclosure, configuration file exposure, and potentially remote code execution if combined with other attack techniques such as log poisoning.
Critical Impact
Unauthenticated attackers can potentially read sensitive server files, access WordPress configuration credentials, and achieve code execution through file inclusion chains.
Affected Products
- Mikado-Themes Curly Core plugin versions up to and including 2.1.6
- WordPress installations using the vulnerable Curly Core plugin
- Websites using themes that depend on the Curly Core plugin
Discovery Timeline
- 2026-03-25 - CVE-2026-27047 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-27047
Vulnerability Analysis
This vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The Curly Core plugin fails to properly sanitize user-controlled input before passing it to PHP's include or require functions. This allows attackers to manipulate file paths and include arbitrary files from the local filesystem.
The attack requires network access but involves high complexity, as successful exploitation may depend on specific server configurations and the presence of exploitable files. However, no authentication or user interaction is required, making it a significant threat to vulnerable WordPress installations.
Root Cause
The root cause is insufficient input validation and sanitization of user-supplied parameters that are subsequently used in PHP file inclusion operations. The plugin does not adequately restrict or validate the filename parameter, allowing directory traversal sequences (such as ../) or absolute paths to be injected, enabling attackers to break out of the intended directory and access arbitrary files on the server.
Attack Vector
The vulnerability is exploitable over the network without requiring authentication. An attacker can craft malicious HTTP requests containing path traversal sequences or manipulated filename parameters targeting the vulnerable include functionality. Successful exploitation allows reading sensitive files such as /etc/passwd, wp-config.php, or other configuration files containing database credentials and authentication keys.
The attack can potentially be escalated to remote code execution through techniques such as:
- Log file poisoning combined with LFI
- Including uploaded files with malicious PHP code
- Leveraging PHP wrapper protocols if enabled
For detailed technical information about this vulnerability, refer to the Patchstack WordPress Vulnerability Advisory.
Detection Methods for CVE-2026-27047
Indicators of Compromise
- Web server access logs containing path traversal sequences such as ../, ..%2f, or %2e%2e/ in requests to WordPress plugin endpoints
- HTTP requests targeting /wp-content/plugins/curly-core/ with suspicious filename parameters
- Unexpected file access patterns in server logs, particularly attempts to read /etc/passwd, wp-config.php, or similar sensitive files
- Error logs showing PHP warnings about failed file inclusions or open_basedir violations
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect and block path traversal patterns in HTTP requests
- Monitor access logs for requests containing encoded directory traversal sequences (%2e, %2f, %00)
- Implement file integrity monitoring on WordPress core files and the wp-config.php configuration file
- Use intrusion detection systems with signatures for PHP LFI exploitation attempts
Monitoring Recommendations
- Enable verbose logging on web servers to capture full request URIs and parameters
- Configure real-time alerting for access attempts to sensitive system files
- Monitor for unusual PHP process behavior such as accessing files outside expected directories
- Implement SentinelOne Singularity Platform for continuous endpoint monitoring and behavioral analysis of web server processes
How to Mitigate CVE-2026-27047
Immediate Actions Required
- Update the Curly Core plugin to a patched version (if available from Mikado-Themes) immediately
- If no patch is available, consider disabling the Curly Core plugin until a fix is released
- Review web server access logs for signs of exploitation attempts
- Implement WAF rules to block path traversal attacks targeting the vulnerable plugin
Patch Information
Organizations should check with Mikado-Themes for an updated version of the Curly Core plugin that addresses this vulnerability. The vulnerability affects all versions through 2.1.6. Monitor the Patchstack Advisory for updates on patch availability.
Workarounds
- Disable the Curly Core plugin if it is not essential to site functionality
- Implement strict WAF rules to filter path traversal attempts in all HTTP parameters
- Configure PHP open_basedir directive to restrict file access to the WordPress installation directory
- Use a security plugin to add additional input validation layers for WordPress plugin requests
# PHP configuration hardening (add to php.ini or .htaccess)
# Restrict PHP file access to WordPress directory
php_value open_basedir /var/www/html/wordpress/
# Disable dangerous PHP functions
php_value disable_functions "exec,passthru,shell_exec,system,proc_open,popen"
# Enable PHP error logging without display
php_flag display_errors off
php_flag log_errors on
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
