Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Zio Alberto zioalberto allows PHP Local File Inclusion.This issue affects Zio Alberto: from n/a through <= 1.2.2.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file inclusion potentially exposing sensitive data and code execution
Action: Immediate Patch
AI Analysis

Impact

The CVE arises from an improper control of filenames that are passed directly to PHP’s include/require statements within the AncoraThemes Zio Alberto theme. Because the theme accepts arbitrary file paths, an attacker can cause the web server to read and execute files located anywhere on the filesystem. This can lead to the disclosure of configuration files, credentials, or other sensitive data, and, if the included file contains malicious code, can result in full control over the site. The weakness is identified as CWE‑98.

Affected Systems

All installations of the Zio Alberto theme with a version number up to and including 1.2.2 are affected. The description specifies the vulnerability exists from "n/a through <= 1.2.2", implying that any deployment using a version within that range must be considered vulnerable.

Risk and Exploitability

The CVSS base score of 8.1 indicates a high‑severity flaw. The EPSS score of less than 1% suggests that, at the time of this analysis, exploitation is unlikely to be widespread. The likely attack vector is inferred from the description: an attacker can supply a crafted request that passes an arbitrary file path to the insecure include logic, possibly through a visible query parameter or a hidden form field. Although the vulnerability has not been listed in the CISA KEV catalog, the potential for confidential data disclosure or code execution warrants immediate attention.

Generated by OpenCVE AI on April 16, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Zio Alberto theme to any release newer than 1.2.2 that removes the vulnerable include logic.
  • If an upgrade cannot be performed immediately, modify or disable the element of the theme that accepts user‑supplied file paths before passing them to include or require.
  • Restrict file system access on the web server by denying read permissions to directories that should not be exposed to the theme, ensuring that only necessary files are accessible.

Generated by OpenCVE AI on April 16, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes zio Alberto
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes zio Alberto
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Zio Alberto zioalberto allows PHP Local File Inclusion.This issue affects Zio Alberto: from n/a through <= 1.2.2.
Title WordPress Zio Alberto theme <= 1.2.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Zio Alberto
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:39.497Z

Reserved: 2026-01-07T12:21:36.721Z

Link: CVE-2026-22374

cve-icon Vulnrichment

Updated: 2026-02-20T19:16:00.970Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:36.780

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22374

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:45:25Z

Weaknesses