Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Fooddy fooddy allows PHP Local File Inclusion.This issue affects Fooddy: from n/a through <= 1.3.10.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an improper control of filename for include/require statements in the Fooddy theme. A malicious actor can manipulate the file path in a request so that the theme includes local files on the server. This can lead to disclosure of sensitive data or execution of arbitrary code, effectively giving an attacker remote code execution or privilege escalation.

Affected Systems

AncoraThemes Fooddy theme versions through and including 1.3.10 are affected. The issue does not apply to versions newer than 1.3.10.

Risk and Exploitability

The CVSS v3.1 score is 8.1, placing the vulnerability in the high severity range. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote unauthenticated request that abuses the vulnerable include mechanism, allowing the attacker to request arbitrary local files or inject malicious code.

Generated by OpenCVE AI on April 16, 2026 at 06:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Fooddy theme to a version newer than 1.3.10, or replace it with a vendor‑maintained alternative.
  • Apply the latest WordPress core updates and any related plugin patches to reduce overall attack surface.
  • Restrict the file system permissions and PHP include paths to prevent user‑controlled file inclusion, and use input validation or a whitelist for file names.
  • Deploy a web application firewall or intrusion‑prevention system to block suspicious inclusion attempts.

Generated by OpenCVE AI on April 16, 2026 at 06:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes fooddy
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes fooddy
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Fooddy fooddy allows PHP Local File Inclusion.This issue affects Fooddy: from n/a through <= 1.3.10.
Title WordPress Fooddy theme <= 1.3.10 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Fooddy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:39.304Z

Reserved: 2026-01-07T12:21:29.302Z

Link: CVE-2026-22373

cve-icon Vulnrichment

Updated: 2026-02-24T20:30:57.581Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:36.653

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22373

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:30:06Z

Weaknesses