Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Woopy woopy allows PHP Local File Inclusion.This issue affects Woopy: from n/a through <= 1.2.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an improper control of filename in PHP include/require statements that allows attackers to trigger PHP Local File Inclusion (LFI). By supplying a crafted filename, an attacker can force the application to read and execute arbitrary files from the local filesystem, potentially leading to disclosure of sensitive data or execution of arbitrary code on the host.

Affected Systems

The issue affects the WordPress theme "Woopy" from AncoraThemes. All releases of Woopy up to and including version 1.2 are vulnerable. This includes any installation that has not yet been updated beyond that version.

Risk and Exploitability

The reported CVSS score is 8.1, indicating high severity. The EPSS score is reported as less than 1%, implying a low likelihood of exploitation at the time of the assessment. This vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the LFI via a web request that supplies a malicious filename to the theme’s PHP include logic, so the likely attack vector is remote through the application’s web interface. With successful exploitation, an attacker could read sensitive configuration files, retrieve backups, or execute arbitrary PHP code, compromising the confidentiality, integrity, and availability of the affected WordPress site.

Generated by OpenCVE AI on April 16, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Woopy theme to version 1.3 or later, which removes the vulnerable include logic.
  • If an immediate upgrade is not possible, modify the theme’s file that performs include/require by adding input validation: sanitize the filename, enforce a whitelist of allowable paths, and avoid using user‑supplied data directly in file paths.
  • Configure PHP’s open_basedir directive to restrict the directories that the web application can access, limiting the impact of any successful LFI attempt.
  • Monitor web server and application logs for unexpected file inclusion patterns and block any anomalous requests using Web Application Firewall rules.

Generated by OpenCVE AI on April 16, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes woopy
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes woopy
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Woopy woopy allows PHP Local File Inclusion.This issue affects Woopy: from n/a through <= 1.2.
Title WordPress Woopy theme <= 1.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Woopy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:49.458Z

Reserved: 2026-01-07T12:22:06.513Z

Link: CVE-2026-22432

cve-icon Vulnrichment

Updated: 2026-03-09T16:29:05.445Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:17.253

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-22432

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:00:11Z

Weaknesses