Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Chinchilla chinchilla allows PHP Local File Inclusion.This issue affects Chinchilla: from n/a through <= 1.16.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from inadequate validation of the filename used in include or require statements within the WordPress Chinchilla theme. Because the theme accepts user-controlled input for the file name, an attacker can compel the server to include unintended local files. This Local File Inclusion (CWE‑98) can expose sensitive data and, if a malicious file is included, may enable remote code execution on the host.

Affected Systems

AncoraThemes Chinchilla theme, versions through 1.16

Risk and Exploitability

The CVSS score of 8.1 indicates a high risk level, while the EPSS score of less than 1% suggests that exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. It is inferred that the attack vector is a local request to the vulnerable WordPress site, with the attacker supplying a crafted parameter that causes the theme to include an attacker‑controlled file.

Generated by OpenCVE AI on April 29, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Chinchilla theme to a fixed version that validates include paths
  • Disable or restrict the use of include/require statements in the theme so that only whitelisted files can be used
  • Implement additional input validation to ensure that file paths are confined to the intended directories

Generated by OpenCVE AI on April 29, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Chinchilla chinchilla allows PHP Local File Inclusion.This issue affects Chinchilla: from n/a through <= 1.16.
Title WordPress Chinchilla theme <= 1.16 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:53.223Z

Reserved: 2025-09-25T15:19:17.077Z

Link: CVE-2025-60042

cve-icon Vulnrichment

Updated: 2025-12-18T16:30:41.668Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:03.550

Modified: 2026-04-27T16:16:29.343

Link: CVE-2025-60042

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:30:21Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')