Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Coworking coworking allows PHP Local File Inclusion.This issue affects Coworking: from n/a through <= 1.6.1.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion with potential for information disclosure or remote code execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from improper control of filename for include/require statements in PHP, allowing an attacker to request arbitrary local files for inclusion. This weakness can lead to sensitive file disclosure or, if attacker‑controlled files are executed, remote code execution. The vulnerability is classified as CWE‑98.

Affected Systems

This flaw affects AncoraThemes Coworking theme versions n/a through 1.6.1, used in WordPress installations that have selected this theme.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score of less than 1% suggests a low probability of exploitation at this time, and the vulnerability is not currently listed in CISA’s KEV catalog. Based on the description, the attack vector is likely through inputs that control the include path; an attacker who can influence such parameters, possibly via theme options or URL manipulation, may trigger the inclusion of sensitive files.

Generated by OpenCVE AI on April 16, 2026 at 06:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Coworking theme to a version newer than 1.6.1 or remove the theme if no patch is available.
  • If an update is not possible, disable or delete the theme to prevent its execution.
  • Apply file permission restrictions so that the web server process cannot read sensitive configuration files and constrain the PHP include path to a whitelist.

Generated by OpenCVE AI on April 16, 2026 at 06:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes coworking
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes coworking
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Coworking coworking allows PHP Local File Inclusion.This issue affects Coworking: from n/a through <= 1.6.1.
Title WordPress Coworking theme <= 1.6.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Coworking
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:38.342Z

Reserved: 2026-01-07T12:21:29.301Z

Link: CVE-2026-22367

cve-icon Vulnrichment

Updated: 2026-02-24T20:31:11.739Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:35.817

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22367

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:30:06Z

Weaknesses