Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Playa playa allows PHP Local File Inclusion.This issue affects Playa: from n/a through <= 1.3.9.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch
AI Analysis

Impact

The vulnerability is an improper control of the filename used in a PHP include/require statement in the AncoraThemes Playa WordPress theme. The flaw allows an attacker to specify an arbitrary file path, potentially leading to local file read or execution of malicious PHP code. This weakness is classified as CWE‑98 and can compromise confidentiality, integrity, or availability depending on the files accessed.

Affected Systems

AncoraThemes Playa, a WordPress theme used in multiple websites, is affected for all releases up to and including version 1.3.9. No specific build or patch versions beyond 1.3.9 are impacted.

Risk and Exploitability

With a CVSS score of 8.1 the vulnerability is considered high severity. The EPSS score is reported as less than 1%, indicating a very low likelihood of exploitation at this time. The vulnerability is not currently listed in the CISA KEV catalog. Attackers would likely exploit the flaw through a crafted web request that feeds a malicious filename to the vulnerable include logic. The path to exploitation is local and does not rely on remote code inclusion, but the ability to execute PHP code could elevate the risk to full remote code execution if the arbitrary file is a PHP script.

Generated by OpenCVE AI on April 16, 2026 at 05:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AncoraThemes Playa theme to version 1.4.0 or later, which removes the vulnerable include logic.
  • If an immediate upgrade is not possible, modify the theme’s inclusion code to validate filenames against a whitelist or enforce a safe include path, effectively blocking arbitrary file access.
  • Configure the PHP runtime to disable allow_url_include and set an open_basedir restriction to further limit file inclusion capabilities.

Generated by OpenCVE AI on April 16, 2026 at 05:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes playa
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes playa
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Playa playa allows PHP Local File Inclusion.This issue affects Playa: from n/a through <= 1.3.9.
Title WordPress Playa theme <= 1.3.9 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Playa
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:50.416Z

Reserved: 2026-01-07T12:22:12.277Z

Link: CVE-2026-22437

cve-icon Vulnrichment

Updated: 2026-03-10T15:26:59.212Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:18.103

Modified: 2026-03-10T18:18:10.100

Link: CVE-2026-22437

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:30:25Z

Weaknesses