Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Ironfit ironfit allows PHP Local File Inclusion.This issue affects Ironfit: from n/a through <= 1.5.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion with possible code execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from improper control of filenames in PHP include/require statements, allowing an attacker to supply a path that references arbitrary local files. If unmanaged, this can lead to the disclosure of sensitive information or even execution of malicious code if an attacker can inject and include malicious content. The weakness is classified as CWE-98, a common file inclusion flaw exposed in WordPress admin context.

Affected Systems

The affected product is the AncoraThemes Ironfit WordPress theme, version 1.5 and earlier. Any site running those versions is susceptible until updated. No other versions or products are listed in the CNA data.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, and although the EPSS value is less than 1%, the risk remains significant due to the broad spread of this theme. The vulnerability is not currently listed in the CISA KEV catalog, but its low exploitation probability does not eliminate the possibility of targeted attacks or future automated attempts. Attackers likely would target sites where the theme is present, leveraging the flaw via unauthenticated web requests if the vulnerable code is exposed to user input.

Generated by OpenCVE AI on April 16, 2026 at 06:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ironfit theme to version 1.6 or later, or apply the vendor patch if available.
  • Disable allow_url_include in the PHP configuration and restrict include paths to a predefined whitelist.
  • Validate and sanitize any user-supplied parameters that are used in include/require calls.
  • If an immediate upgrade is not possible, temporarily disable the vulnerable functionality or the entire theme until a fix is applied.

Generated by OpenCVE AI on April 16, 2026 at 06:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes ironfit
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes ironfit
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Ironfit ironfit allows PHP Local File Inclusion.This issue affects Ironfit: from n/a through <= 1.5.
Title WordPress Ironfit theme <= 1.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Ironfit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:38.636Z

Reserved: 2026-01-07T12:21:29.302Z

Link: CVE-2026-22369

cve-icon Vulnrichment

Updated: 2026-02-24T20:31:07.472Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:36.120

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22369

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:30:06Z

Weaknesses