CVE-2026-27047 is a Local File Inclusion (LFI) vulnerability found in the Mikado-Themes Curly Core WordPress plugin, affecting versions up to 2.1.6. The vulnerability arises from improper control of the filename parameter used in PHP include or require statements, allowing an attacker to manipulate the input to include arbitrary files from the server's filesystem. This can lead to sensitive information disclosure, such as configuration files, password files, or other sensitive data stored on the server. In some cases, if combined with other vulnerabilities or misconfigurations, it may allow remote code execution by including malicious files uploaded to the server. The vulnerability does not require authentication, making it accessible to unauthenticated remote attackers who can send crafted HTTP requests to vulnerable endpoints. Although no known public exploits are currently reported, the nature of LFI vulnerabilities makes them a significant risk, especially in shared hosting or poorly secured environments. The plugin is widely used in WordPress sites, which increases the attack surface. The lack of a CVSS score indicates that the vulnerability is newly published and awaiting further analysis. The vulnerability was reserved in February 2026 and published in March 2026, indicating recent discovery. No official patches or updates are linked yet, so users must monitor vendor advisories closely. The vulnerability's root cause is insufficient input validation or sanitization of the filename parameter used in include/require statements, a common PHP security issue. Attackers can exploit this by manipulating URL parameters or POST data that control file inclusion.

The impact of CVE-2026-27047 on organizations worldwide can be severe. Successful exploitation can lead to unauthorized disclosure of sensitive files, such as database credentials, configuration files, or user data, compromising confidentiality. It may also allow attackers to execute arbitrary PHP code if they can upload malicious files or leverage other vulnerabilities, threatening system integrity and availability. This can result in website defacement, data breaches, or full server compromise. Organizations relying on Mikado-Themes Curly Core for their WordPress sites, especially those hosting sensitive or business-critical data, face risks of reputational damage, financial loss, and regulatory penalties. The vulnerability's ease of exploitation without authentication increases the likelihood of automated scanning and attacks by opportunistic threat actors. Additionally, the widespread use of WordPress globally amplifies the potential attack surface. The absence of known exploits in the wild currently provides a window for proactive mitigation, but this may change rapidly once exploit code becomes available.

To mitigate CVE-2026-27047, organizations should first monitor Mikado-Themes official channels for patches or updates addressing this vulnerability and apply them promptly once released. In the absence of an official patch, administrators should audit the Curly Core plugin code, focusing on all include/require statements that use user-controllable input, and implement strict input validation and sanitization to allow only expected filenames or paths. Employing a whitelist approach for allowable files is recommended. Disabling or restricting the plugin temporarily may be necessary if a patch is not available and risk is high. Additionally, implementing Web Application Firewalls (WAFs) with rules to detect and block suspicious file inclusion attempts can reduce exposure. Regularly scanning WordPress installations for vulnerable plugins and maintaining an inventory of installed components helps in timely vulnerability management. Restricting file permissions on the server to limit access to sensitive files can reduce the impact of LFI attacks. Finally, monitoring logs for unusual requests targeting file inclusion parameters can provide early detection of exploitation attempts.