Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Gustavo gustavo allows PHP Local File Inclusion.This issue affects Gustavo: from n/a through <= 1.2.2.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion leading to potential code execution
Action: Immediate Patch
AI Analysis

Impact

An improper control of filename for include/require statements in the AncoraThemes Gustavo WordPress theme permits local file inclusion. This weakness is categorized as CWE‑98. The vulnerability can allow an authenticated or unauthenticated attacker to read arbitrary local files or execute arbitrary PHP code, effectively compromising the confidentiality, integrity, and availability of the affected WordPress installation.

Affected Systems

The Gustavo theme distributed by AncoraThemes is affected only in versions up to and including 1.2.2. Sites that have installed any of these versions expose the filesystem to local file inclusion. The vulnerability applies to any WordPress environment that supports this theme.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity, while the EPSS score of less than 1% indicates a very low current exploitation probability. The vulnerability does not appear in the CISA KEV catalog. The attack vector is inferred to be local file inclusion through manipulated input that the theme uses in its include/require logic; an attacker could supply a crafted path via a URL parameter or form field to trigger inclusion of sensitive system files or execute malicious PHP scripts.

Generated by OpenCVE AI on April 16, 2026 at 16:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest update for the Gustavo theme (≥ 1.2.3) to remove the LFI flaw.
  • If an update cannot be applied immediately, deactivate or uninstall the Gustavo theme to prevent inclusion of arbitrary files.
  • Ensure that the WordPress installation’s file permissions restrict web‑server access to sensitive directories, and consider using a web application firewall or security plugin to detect and block suspicious include/require requests.

Generated by OpenCVE AI on April 16, 2026 at 16:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes gustavo
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes gustavo
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Gustavo gustavo allows PHP Local File Inclusion.This issue affects Gustavo: from n/a through <= 1.2.2.
Title WordPress Gustavo theme <= 1.2.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Gustavo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:38.946Z

Reserved: 2026-01-07T12:21:29.302Z

Link: CVE-2026-22371

cve-icon Vulnrichment

Updated: 2026-02-24T20:31:03.456Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:36.397

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22371

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:45:25Z

Weaknesses