Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Honor honor allows PHP Local File Inclusion.This issue affects Honor: from n/a through <= 2.3.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via local file inclusion
Action: Assess Impact
AI Analysis

Impact

The Honor theme contains an improper control of the filename used in include or require statements, which enables a local file inclusion flaw. An attacker can supply a path that resolves to any local file and, if the target file contains PHP code, can execute it. This leads to potential disclosure of sensitive files and, more critically, arbitrary code execution on the host, compromising confidentiality, integrity, and availability of the website.

Affected Systems

All installations of AncoraThemes Honor theme from the earliest release through version 2.3 are affected.

Risk and Exploitability

The vulnerability carries a high severity rating. The estimated likelihood of exploitation is currently below 1%, indicating a low current probability of being exploited. It is not currently listed in the Known Exploited Vulnerabilities catalog. Based on the description, the likely attack vector is network: by creating a crafted URL that triggers the local inclusion, an unauthenticated attacker can supply a PHP file and achieve remote code execution.

Generated by OpenCVE AI on April 18, 2026 at 09:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict file permissions in the theme directory so that only the web server can read files, preventing execution of arbitrary user‑supplied files.
  • Implement input validation or a whitelist for the include argument to disallow directory traversal and arbitrary paths.
  • Deploy a web application firewall rule that blocks requests containing directory traversal sequences such as "../" and monitor site logs for inclusion attempts.

Generated by OpenCVE AI on April 18, 2026 at 09:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes honor
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes honor
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Honor honor allows PHP Local File Inclusion.This issue affects Honor: from n/a through <= 2.3.
Title WordPress Honor theme <= 2.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Honor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:46.839Z

Reserved: 2026-01-07T12:22:01.195Z

Link: CVE-2026-22419

cve-icon Vulnrichment

Updated: 2026-03-09T16:41:50.532Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:15.870

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-22419

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses