Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Greenville greenville allows PHP Local File Inclusion.This issue affects Greenville: from n/a through <= 1.3.2.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Update Theme
AI Analysis

Impact

A flaw in the AncoraThemes Greenville WordPress theme lets an attacker dictate the filename used in a PHP include or require operation. The vulnerability, classified as a local file inclusion, can be exploited to read or execute arbitrary files residing on the web server. If an attacker supplies a crafted path, the theme may load sensitive configuration, database, or code files, potentially exposing credentials or allowing the execution of malicious code stored on the server.

Affected Systems

WordPress installations that have installed the AncoraThemes Greenville theme version 1.3.2 or earlier are affected. The issue applies to every release from the original deployment up to and including 1.3.2.

Risk and Exploitability

The flaw carries a CVSS score of 8.1, indicating a high severity. An EPSS score of less than 1% suggests that widespread exploitation has not been observed yet, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation would require an attacker to supply a crafted file path through the theme’s input mechanism, which can be accessed via a publicly exposed page or an administrative interface. The likely attack vector is manipulating the include parameter through an external request, though the CVE description does not explicitly state remote code execution; such an outcome is inferred from the nature of the LFI weakness.

Generated by OpenCVE AI on March 26, 2026 at 21:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Greenville theme to a version newer than 1.3.2 as soon as a patch is released
  • If no update is available, disable or remove the Greenville theme from the site

Generated by OpenCVE AI on March 26, 2026 at 21:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes greenville
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes greenville
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Greenville greenville allows PHP Local File Inclusion.This issue affects Greenville: from n/a through <= 1.3.2.
Title WordPress Greenville theme <= 1.3.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Greenville
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T18:31:42.308Z

Reserved: 2026-01-07T13:44:30.742Z

Link: CVE-2026-22495

cve-icon Vulnrichment

Updated: 2026-03-26T18:26:35.508Z

cve-icon NVD

Status : Received

Published: 2026-03-25T17:16:31.503

Modified: 2026-03-26T19:16:33.200

Link: CVE-2026-22495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:51Z

Weaknesses