Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Blabber blabber allows PHP Local File Inclusion.This issue affects Blabber: from n/a through <= 1.7.0.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion Leading to potential remote code execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the way the Blabber theme handles include/require statements. An attacker can manipulate the filename parameter to point to arbitrary files on the server. This local file inclusion allows the attacker to read sensitive configuration files or, if the included file contains executable PHP code, to execute arbitrary commands. The weakness is identified as CWE‑98, reflecting an improper use of file inclusion functions.

Affected Systems

All installations of the AncoraThemes Blabber theme with versions 1.7.0 or earlier are affected. Users of any WordPress site running this theme should verify the installed version and plan an update if still on a vulnerable release.

Risk and Exploitability

The CVSS score of 8.1 categorizes the issue as high severity. EPSS indicates a very low probability of exploitation, and the vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Nonetheless, the likely attack vector is a local file inclusion request, typically through crafted URL parameters or form input that the theme accepts. If an attacker can influence the filename, they can read server files or execute PHP code, potentially leading to full site compromise.

Generated by OpenCVE AI on April 16, 2026 at 06:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Blabber theme to the latest version (1.7.1 or later).
  • If an upgrade is not feasible, disable or remove the Blabber theme and switch to a secure alternative theme.
  • Apply web application firewall rules to block requests that try to include arbitrary files, such as restricting include paths or disallowing suspicious query strings.

Generated by OpenCVE AI on April 16, 2026 at 06:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes blabber
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes blabber
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Blabber blabber allows PHP Local File Inclusion.This issue affects Blabber: from n/a through <= 1.7.0.
Title WordPress Blabber theme <= 1.7.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Blabber
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:40.131Z

Reserved: 2026-01-07T12:21:36.721Z

Link: CVE-2026-22378

cve-icon Vulnrichment

Updated: 2026-02-20T19:09:49.233Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:37.300

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22378

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:15:26Z

Weaknesses