CVE-2026-22424 - Vulnerability Details

- WordPress Shaha theme <= 1.1.2 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Shaha shaha allows PHP Local File Inclusion.This issue affects Shaha: from n/a through <= 1.1.2.

Published: 2026-03-05

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw allows an attacker to influence the filename used in an include/require statement within the Shaha theme’s PHP code. By controlling that value the attacker can read any file that the web server can access, such as configuration or credential files, and if the chosen file contains PHP code the attacker could run it on the server. The vulnerability is classified as CWE‑98.

Affected Systems

All WordPress sites that have the AncoraThemes Shaha theme installed with a version number up to and including 1.1.2 are affected. Any WordPress installation that enables this theme is vulnerable; the core WordPress version is not relevant to the scope.

Risk and Exploitability

The issue carries a high baseline severity and its EPSS score of < 1 % indicates a very low probability of exploitation, despite the vulnerability’s status outside the CISA KEV catalog. However, an attacker could trigger the local file inclusion by sending a crafted request to a publicly exposed URL that processes input forwarded to the vulnerable include/require call. Successful exploitation could allow the attacker to read critical system files or execute code, compromising confidentiality, integrity and availability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

AncoraThemes

Shaha

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.2

No data.

Vendor Product Confidence Versions

Ancorathemes

Shaha

100%

Version	Status	Scheme	Platform
`[0,1.1.2]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Shaha theme to the latest available release that contains the fix, such as version 1.1.3 or newer from the vendor’s repository.
If no update is immediately reachable, deactivate or remove the Shaha theme and replace it with a different theme that does not contain the vulnerable code.
Configure the web server to deny direct access to the directory containing the PHP files that perform the include/require, and enforce file permissions so only the application user can read those files.
Implement input validation or a whitelist around any parameters that feed into the include/require statement to restrict file paths to known safe locations.
Monitor web traffic and server logs for unusual requests that attempt directory traversal or read attempts of restricted files, and investigate any such activity promptly.

Generated by OpenCVE AI on April 18, 2026 at 09:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00165.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/shaha/vulnerability/wordpress-shaha-theme-1-1-2-local-file-inclusion-vulnerability?_s_id=cve

History

Mon, 09 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 06 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ancorathemes Ancorathemes shaha Wordpress Wordpress wordpress
Vendors & Products		Ancorathemes Ancorathemes shaha Wordpress Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Shaha shaha allows PHP Local File Inclusion.This issue affects Shaha: from n/a through <= 1.1.2.
Title		WordPress Shaha theme <= 1.1.2 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://patchstack.com/database/Wordpress/Theme/shaha/vulnerability/wordpress-shaha-theme-1-1-2-local-file-inclusion-vulnerability?_s_id=cve

Subscriptions

Ancorathemes Shaha

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-05T05:53:38.378Z

Updated: 2026-04-01T14:13:47.646Z

Reserved: 2026-01-07T12:22:06.512Z

Link: CVE-2026-22424

Vulnrichment

Updated: 2026-03-09T16:39:43.721Z

NVD

Status : Deferred

Published: 2026-03-05T06:16:16.427

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-22424

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object