Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Horizon horizon allows PHP Local File Inclusion.This issue affects Horizon: from n/a through <= 1.1.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

An attacker can manipulate PHP include/require statements in the Horizon theme to load arbitrary files from the server. The vulnerability, classified as CWE‑98, permits reading any file accessible to the web server. If the included file contains executable code, that code may be executed. This inference is not directly stated in the description, as the official text does not mention authentication requirements, so it is not guaranteed that any visitor can trigger the inclusion without credentials.

Affected Systems

The issue affects all deployed versions of the AncoraThemes Horizon WordPress theme up to and including 1.1. No specific lower bound was identified, meaning versions 1.0 through 1.1 are all vulnerable.

Risk and Exploitability

With a CVSS score of 8.1 the flaw is considered high severity, yet the EPSS score is below 1%, indicating a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The inferred attack vector is remote, where a malicious user supplies a crafted parameter that causes the theme to include a local file, potentially exposing sensitive data or executing arbitrary code. Breaches could compromise confidentiality, integrity, and availability of the affected WordPress site.

Generated by OpenCVE AI on April 16, 2026 at 12:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Horizon theme to a version newer than 1.1, which removes the insecure include logic.
  • If an upgrade cannot be performed, deactivate and delete the Horizon theme so that its vulnerable code is no longer executed.
  • Modify the theme or use a custom plugin to hard‑code safe file paths and validate any user input that may influence include/require statements.
  • Continuously monitor web server logs for unexpected inclusion attempts to detect possible exploitation attempts.

Generated by OpenCVE AI on April 16, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes horizon
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes horizon
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Horizon horizon allows PHP Local File Inclusion.This issue affects Horizon: from n/a through <= 1.1.
Title WordPress Horizon theme <= 1.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Horizon
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:46.996Z

Reserved: 2026-01-07T12:22:01.195Z

Link: CVE-2026-22420

cve-icon Vulnrichment

Updated: 2026-03-10T14:46:42.477Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:16.010

Modified: 2026-03-10T18:18:08.790

Link: CVE-2026-22420

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:00:11Z

Weaknesses