{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22494", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:23.295Z", "datePublished": "2026-03-25T16:14:23.360Z", "dateUpdated": "2026-03-25T16:14:23.360Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "good-homes", "product": "Good Homes", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "<= 1.3.13", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:05.600Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Good Homes good-homes allows PHP Local File Inclusion.<p>This issue affects Good Homes: from n/a through <= 1.3.13.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Good Homes good-homes allows PHP Local File Inclusion.This issue affects Good Homes: from n/a through <= 1.3.13."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:23.360Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/good-homes/vulnerability/wordpress-good-homes-theme-1-3-13-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Good Homes theme <= 1.3.13 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Good Homes good-homes allows PHP Local File Inclusion.This issue affects Good Homes: from n/a through <= 1.3.13."}], "id": "CVE-2026-22494", "lastModified": "2026-03-25T17:16:31.363", "metrics": {}, "published": "2026-03-25T17:16:31.363", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/good-homes/vulnerability/wordpress-good-homes-theme-1-3-13-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.13]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Good Homes", "source": "cna", "vendor": "ThemeREX"}, "product": "good_homes", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T17:26:36.539245+00:00", "value": {"mitigation_remediation": ["Upgrade Good Homes theme to version 1.3.14 or later, if available.", "If an immediate upgrade is not possible, patch or remove any theme files that perform unsanitized include/require calls, ensuring only validated filenames are used.", "Restrict HTTP access to the theme\u2019s PHP files using .htaccess or web\u2011server configuration rules to prevent direct file inclusion.", "Review server and application logs for suspicious file access attempts and verify the site has not been compromised.", "Keep the WordPress core, all plugins, and themes updated to the latest secure releases."], "summary": {"action": "Apply Patch", "impact": "System Compromise via Local File Inclusion"}, "threat_synthesis": {"affected_systems": "ThemeREX Good Homes WordPress theme, versions from the earliest releases through 1.3.13. Any site using the theme in these or earlier versions is affected. The flaw impacts the WordPress installation that hosts the theme.", "description_and_impact": "The vulnerability arises from improper validation of filenames used in PHP include/require statements in the Good Homes theme, enabling an attacker to force the theme to load arbitrary local files. An attacker who can supply a crafted request may read sensitive configuration files or, if a locally stored file contains executable code, achieve remote code execution. The weakness corresponds to CWE-98 and can compromise confidentiality, integrity, or availability of the WordPress site.", "risk_and_exploitability": "The CVSS score and EPSS are unavailable, and the vulnerability is not yet listed in CISA's KEV catalog, indicating no known widespread exploitation. Nonetheless, the flaw permits Local File Inclusion via HTTP requests, which an attacker can trigger with minimal effort if the theme's inclusion logic is exposed. The likely attack vector is remote, via a crafted HTTP request to the WordPress site, allowing an attacker to read arbitrary files or execute code. The potential impact ranges from data exposure to full system compromise."}}}}, "created": "2026-03-25T21:35:24.792517+00:00", "updated": "2026-03-26T11:40:39.040759+00:00", "vendors": ["themerex", "themerex$PRODUCT$good_homes", "wordpress", "wordpress$PRODUCT$wordpress"]}