Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Great Lotus great-lotus allows PHP Local File Inclusion.This issue affects Great Lotus: from n/a through <= 1.3.1.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch
AI Analysis

Impact

The Great Lotus WordPress theme contains an improper control of the filename used in PHP include/require statements, which allows a local file inclusion flaw. An attacker could supply an arbitrary file path that the theme then tries to include, potentially exposing sensitive files or executing code if the included file is PHP.

Affected Systems

AncoraThemes Great Lotus WordPress theme versions up to and including 1.3.1 are susceptible to this weakness.

Risk and Exploitability

The CVSS score of 8.1 categorizes this vulnerability as high severity, indicating significant impact if exploited. The EPSS score of less than 1% suggests that active exploitation is currently unlikely, and the issue is not listed in the CISA KEV catalog. The provided description does not specify a requirement for authentication, implying that web access to the vulnerable theme area may be sufficient to trigger the flaw.

Generated by OpenCVE AI on April 17, 2026 at 12:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Great Lotus theme to a version newer than 1.3.1.
  • Restrict any user‑supplied file names used in include or require calls to a whitelist or predefined safe directory.
  • Deploy a web application firewall or input‑validation routine that blocks attempts to provide arbitrary path values to include/require statements.

Generated by OpenCVE AI on April 17, 2026 at 12:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes great Lotus
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes great Lotus
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Great Lotus great-lotus allows PHP Local File Inclusion.This issue affects Great Lotus: from n/a through <= 1.3.1.
Title WordPress Great Lotus theme <= 1.3.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Great Lotus
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:46.696Z

Reserved: 2026-01-07T12:22:01.195Z

Link: CVE-2026-22418

cve-icon Vulnrichment

Updated: 2026-03-10T14:39:05.305Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:15.730

Modified: 2026-03-10T18:18:08.610

Link: CVE-2026-22418

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:00:12Z

Weaknesses