Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Parkivia parkivia allows PHP Local File Inclusion.This issue affects Parkivia: from n/a through <= 1.1.9.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch Immediately
AI Analysis

Impact

The vulnerability arises from an improper control of the filename used in PHP's include/require statements within the AncoraThemes Parkivia theme. An attacker can manipulate the path parameter to trigger a local file inclusion, potentially allowing the reading of arbitrary files from the server. The description does not explicitly confirm execution of injected PHP code, but it is inferred that if a writable directory is involved an attacker could upload code, which could then be executed.

Affected Systems

All installations of the Parkivia WordPress theme running version 1.1.9 or earlier are affected, including every version from the earliest release up to and including 1.1.9.

Risk and Exploitability

The vulnerability receives a CVSS score of 8.1, indicating high severity, but the EPSS score is less than 1%, suggesting a low likelihood of exploitation today. The flaw relies on a manipulated path delivered via an HTTP request, making the attack vector web‑based and potentially exploitable by remote users. The lack of a KEV listing indicates no widely known exploits are currently tracked. The inference that an attacker could execute arbitrary code is based on the presence of a writable directory and not directly stated in the input.

Generated by OpenCVE AI on April 17, 2026 at 17:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Parkivia theme to version 1.2.0 or later, where include/require paths are properly validated.
  • Validate the theme’s file‑path input against a whitelist of allowed directories and reject any request that attempts to reference files outside that scope.
  • Configure PHP to disable allow_url_include and set open_basedir to restrict file inclusion to trusted locations.

Generated by OpenCVE AI on April 17, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes parkivia
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes parkivia
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Parkivia parkivia allows PHP Local File Inclusion.This issue affects Parkivia: from n/a through <= 1.1.9.
Title WordPress Parkivia theme <= 1.1.9 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Parkivia
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:39.820Z

Reserved: 2026-01-07T12:21:36.721Z

Link: CVE-2026-22376

cve-icon Vulnrichment

Updated: 2026-02-20T19:11:50.722Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:37.037

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22376

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:30:23Z

Weaknesses