Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CloudMe cloudme allows PHP Local File Inclusion.This issue affects CloudMe: from n/a through <= 1.2.2.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion which can lead to code execution or data disclosure
Action: Apply Patch
AI Analysis

Impact

The CloudMe theme for WordPress contains an improper control over filenames used in PHP include/require statements. This allows attackers to craft requests that force the application to include arbitrary files from the server's filesystem, potentially exposing sensitive configuration files or executing attacker‑supplied code. Because the vulnerability targets server‑side code inclusion (CWE-98), a successful exploit could lead to full code execution on the host or unauthorized data disclosure.

Affected Systems

The affected product is the AncoraThemes CloudMe WordPress theme. The issue exists in all releases from the first release through version 1.2.2. Any WordPress site that is still running CloudMe version 1.2.2 or earlier is at risk. No other vendors or product variants are listed.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity vulnerability, but the EPSS score of less than 1 % and absence from the CISA KEV catalog suggest that widespread exploitation is currently unlikely. The attack vector would typically involve sending a specially crafted request that manipulates the include or require path, which may require the attacker to have some level of authenticated access or to trigger a feature with a public endpoint. Despite the low probability, the potential impact justifies proactive remediation.

Generated by OpenCVE AI on April 16, 2026 at 05:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CloudMe theme to a version newer than 1.2.2 that includes the local file inclusion fix.
  • Restrict PHP file read access to the site root and configuration directories by configuring the web server (e.g., using .htaccess or firewall rules) to prevent arbitrary file reads.
  • Implement server‑side validation to whitelist allowable include paths and remove untrusted input that can manipulate file inclusion.

Generated by OpenCVE AI on April 16, 2026 at 05:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes cloudme
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes cloudme
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CloudMe cloudme allows PHP Local File Inclusion.This issue affects CloudMe: from n/a through <= 1.2.2.
Title WordPress CloudMe theme <= 1.2.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Cloudme
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:49.728Z

Reserved: 2026-01-07T12:22:06.513Z

Link: CVE-2026-22433

cve-icon Vulnrichment

Updated: 2026-03-10T15:21:59.688Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:17.390

Modified: 2026-03-10T18:18:09.727

Link: CVE-2026-22433

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:30:25Z

Weaknesses