CVE-2026-22494 - Vulnerability Details

- WordPress Good Homes theme <= 1.3.13 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Good Homes good-homes allows PHP Local File Inclusion.This issue affects Good Homes: from n/a through <= 1.3.13.

Published: 2026-03-25

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an improper control of the filename used in PHP include/require statements within the WordPress Good Homes theme, allowing attackers to perform local file inclusion. This flaw can expose sensitive configuration files, user data, or other internal information, and in the worst case may enable the execution of arbitrary PHP code if a malicious file is read and interpreted. The issue is categorized as CWE-98 and has a CVSS score of 8.1, indicating a high severity attack that could compromise confidentiality, integrity, or availability of the affected website.

Affected Systems

The affected product is the Good Homes WordPress theme from ThemeREX. Any installation of Good Homes theme version 1.3.13 or earlier is vulnerable, including sites that have not yet applied the latest updates. Users of older versions should review their theme version and upgrade immediately if possible.

Risk and Exploitability

The CVSS score of 8.1 signals a significant risk, but the EPSS score of less than 1% suggests that exploitation is uncommon at present. The vulnerability is not listed in the CISA KeV catalog, implying no known active exploitation campaigns. Based on the description, it is inferred that an attacker would craft a request that manipulates the file path in an include/require call, gaining read access to local files or triggering execution of arbitrary PHP code. The exact attack vector is not directly detailed, but the nature of the flaw points to a reflected or file path manipulation vector.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ThemeREX

Good Homes

unaffected

Version	Status	Constraints
`n/a`	affected	≤ <= 1.3.13

No data.

Vendor Product Confidence Versions

Themerex

Good Homes

100%

Version	Status	Scheme	Platform
`[0,1.3.13]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Good Homes theme to version 1.3.14 or later to eliminate the LFI flaw.
Verify that the theme’s file inclusion paths are restricted and that public access to PHP files is properly controlled.
If an upgrade is not immediately possible, isolate the theme’s PHP files from web access or place a web‑application firewall rule to block suspicious include/require requests.
Contact ThemeREX support for specialized guidance if further adjustments are required.
Review the site for exposed sensitive files and remove or protect them from public access.

Generated by OpenCVE AI on March 26, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00151.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/good-homes/vulnerability/wordpress-good-homes-theme-1-3-13-local-file-inclusion-vulnerability?_s_id=cve

History

Thu, 26 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Themerex Themerex good Homes Wordpress Wordpress wordpress
Vendors & Products		Themerex Themerex good Homes Wordpress Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Good Homes good-homes allows PHP Local File Inclusion.This issue affects Good Homes: from n/a through <= 1.3.13.
Title		WordPress Good Homes theme <= 1.3.13 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://patchstack.com/database/Wordpress/Theme/good-homes/vulnerability/wordpress-good-homes-theme-1-3-13-local-file-inclusion-vulnerability?_s_id=cve

Subscriptions

Themerex Good Homes

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-25T16:14:23.360Z

Updated: 2026-03-26T18:31:42.489Z

Reserved: 2026-01-07T13:44:23.295Z

Link: CVE-2026-22494

Vulnrichment

Updated: 2026-03-26T18:26:37.592Z

NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:31.363

Modified: 2026-03-30T13:27:35.820

Link: CVE-2026-22494

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T09:46:52Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object