CVE-2026-27077 is a Local File Inclusion (LFI) vulnerability affecting Mikado-Themes MultiOffice, a PHP-based WordPress theme product, in versions up to and including 1.2. The vulnerability stems from improper validation and control of filenames used in PHP include or require statements, which allows an attacker to manipulate the file path parameter. This can enable the inclusion of arbitrary local files on the server, potentially exposing sensitive information such as configuration files, source code, or credentials. In some cases, LFI can be leveraged to achieve remote code execution if the attacker can include files containing malicious code or upload files to the server. Although no public exploits are currently known, the vulnerability is critical due to the widespread use of PHP and WordPress themes, and the ease with which an attacker can exploit the flaw without authentication or user interaction. The vulnerability was reserved in February 2026 and published in March 2026, with no CVSS score assigned yet. The lack of patch links indicates that a fix may not be publicly available at this time, increasing the urgency for mitigation.

The impact of CVE-2026-27077 can be severe for organizations using the affected MultiOffice theme. Successful exploitation can lead to unauthorized disclosure of sensitive files, including credentials and configuration data, which can facilitate further attacks. In worst-case scenarios, attackers may achieve remote code execution, leading to full system compromise, data theft, defacement, or use of the server as a pivot point for lateral movement within a network. This can disrupt business operations, damage reputation, and lead to regulatory non-compliance. Since the vulnerability requires no authentication and no user interaction, it can be exploited remotely by unauthenticated attackers, increasing the risk of widespread attacks. Organizations relying on PHP-based CMS and themes are particularly vulnerable, especially if they have not applied updates or mitigations.

To mitigate CVE-2026-27077, organizations should first check for and apply any available patches or updates from Mikado-Themes as soon as they are released. In the absence of official patches, immediate steps include: 1) Implement strict input validation and sanitization on all parameters that influence file inclusion to prevent path traversal or arbitrary file inclusion. 2) Employ whitelisting of allowable files or directories for inclusion rather than relying on user input. 3) Disable allow_url_include and allow_url_fopen in PHP configurations to prevent remote file inclusion vectors. 4) Use web application firewalls (WAFs) to detect and block suspicious requests targeting file inclusion parameters. 5) Monitor server logs for unusual access patterns or error messages related to file inclusion attempts. 6) Restrict file permissions on the server to limit access to sensitive files. 7) Consider isolating or sandboxing the affected application to reduce potential damage. 8) Educate developers and administrators about secure coding practices related to file inclusion.