Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Isida isida allows PHP Local File Inclusion.This issue affects Isida: from n/a through <= 1.4.2.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion that may lead to Remote Code Execution
Action: Patch Now
AI Analysis

Impact

This vulnerability permits an attacker to supply an arbitrary filename to PHP include or require statements within the Isida theme, enabling Local File Inclusion. Such inclusion can allow the attacker to read sensitive files or, if the attacker can upload PHP code, execute arbitrary code on the server. The impact is therefore a possible compromise of confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

AncoraThemes Isida theme versions up to and including 1.4.2 on WordPress installations are affected. All installations that use the default Isida theme logic without a later revision are vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates high technical severity. The EPSS score of less than 1 % suggests that, at present, the likelihood of widespread exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the likely attack vector is a web‑based request that manipulates a filename parameter to trigger the vulnerable include path. Should an attacker successfully exploit this flaw, they could read arbitrary files or execute code, potentially leading to full server compromise.

Generated by OpenCVE AI on April 16, 2026 at 06:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AncoraThemes Isida to the latest available version that removes the vulnerable include logic.
  • If an upgrade is not immediately possible, deactivate the Isida theme or remove it from the active theme list until the issue is resolved.
  • Modify the theme code to validate and whitelist file names before any include/require statements, ensuring only authorized, pre‑defined files can be included.

Generated by OpenCVE AI on April 16, 2026 at 06:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes isida
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes isida
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Isida isida allows PHP Local File Inclusion.This issue affects Isida: from n/a through <= 1.4.2.
Title WordPress Isida theme <= 1.4.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Isida
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:39.108Z

Reserved: 2026-01-07T12:21:29.302Z

Link: CVE-2026-22372

cve-icon Vulnrichment

Updated: 2026-02-20T19:17:28.516Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:36.527

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22372

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:30:06Z

Weaknesses