Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Saveo saveo allows PHP Local File Inclusion.This issue affects Saveo: from n/a through <= 1.1.2.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch
AI Analysis

Impact

The vulnerability is an Improper Control of Filename for Include/Require Statement in PHP. AncoraThemes Saveo theme allows a local file inclusion, meaning an attacker could supply a crafted filename that causes the server to include an arbitrary local file. If the attacker can inject PHP code, this could lead to disclosure of sensitive files, modification of server files or remote code execution, impacting confidentiality, integrity and potentially availability of the WordPress site.

Affected Systems

AncoraThemes "Saveo" theme for WordPress is impacted. Versions from n/a through 1.1.2 contain the flaw; no other versions are listed as affected.

Risk and Exploitability

The CVSS score is 8.1, indicating a high severity. The EPSS score is less than 1%, suggesting that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local: an attacker would need to craft a request to the theme that passes a filename, but depending on how the theme exposes the parameter, the LFI could be triggered via a web request. Successful exploitation would require sufficient input control or server permissions, and could provide arbitrary code execution.

Generated by OpenCVE AI on April 16, 2026 at 06:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Saveo theme to a version newer than 1.1.2 to apply the vendor‑supplied fix.
  • If an immediate update is not possible, temporarily disable or deactivate the Saveo theme to prevent the vulnerable code paths from being triggered.
  • Configure the PHP environment to mitigate the risk of local file inclusion by ensuring allow_url_include is Off, applying secure open_basedir restrictions, and validating or whitelisting any filename parameters before inclusion.

Generated by OpenCVE AI on April 16, 2026 at 06:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 08:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes saveo
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes saveo
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Saveo saveo allows PHP Local File Inclusion.This issue affects Saveo: from n/a through <= 1.1.2.
Title WordPress Saveo theme <= 1.1.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Saveo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:39.984Z

Reserved: 2026-01-07T12:21:36.721Z

Link: CVE-2026-22377

cve-icon Vulnrichment

Updated: 2026-02-24T20:30:29.652Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:37.167

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22377

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:15:26Z

Weaknesses