{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22496", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:30.742Z", "datePublished": "2026-03-25T16:14:23.766Z", "dateUpdated": "2026-03-25T16:14:23.766Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "hypnotherapy", "product": "Hypnotherapy", "vendor": "AncoraThemes", "versions": [{"lessThanOrEqual": "<= 1.2.10", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:05.253Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hypnotherapy hypnotherapy allows PHP Local File Inclusion.<p>This issue affects Hypnotherapy: from n/a through <= 1.2.10.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hypnotherapy hypnotherapy allows PHP Local File Inclusion.This issue affects Hypnotherapy: from n/a through <= 1.2.10."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:23.766Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/hypnotherapy/vulnerability/wordpress-hypnotherapy-theme-1-2-10-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Hypnotherapy theme <= 1.2.10 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hypnotherapy hypnotherapy allows PHP Local File Inclusion.This issue affects Hypnotherapy: from n/a through <= 1.2.10."}], "id": "CVE-2026-22496", "lastModified": "2026-03-25T17:16:31.643", "metrics": {}, "published": "2026-03-25T17:16:31.643", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/hypnotherapy/vulnerability/wordpress-hypnotherapy-theme-1-2-10-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.10]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Hypnotherapy", "source": "cna", "vendor": "AncoraThemes"}, "product": "hypnotherapy", "vendor": "ancorathemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:20:30.119559+00:00", "value": {"mitigation_remediation": ["Upgrade AncoraThemes Hypnotherapy to version 1.2.11 or later.", "Verify that the site contains no unauthorized files or injected code.", "If an upgrade is not immediately possible, deactivate or remove the theme until a patch is applied.", "As a temporary measure, restrict file permissions on the theme directory to prevent execution of uploaded files."], "summary": {"action": "Patch Now", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in AncoraThemes Hypnotherapy theme versions 1.2.10 and earlier. Any WordPress site that has installed that theme without upgrading to 1.2.11 or later is vulnerable. The issue is confined to the theme files and does not affect WordPress core or other plugins unless they are directly used by the theme.", "description_and_impact": "The flaw allows an attacker to supply a filename that bypasses the theme\u2019s security checks, enabling inclusion of arbitrary files on the server. By reading sensitive configuration files or including malicious PHP files that have been uploaded elsewhere on the site, an attacker can exfiltrate data or, in the worst case, execute code with the web\u2011server\u2019s privileges. The weakness directly maps to CWE\u201198, Improper Control of Filename for Include/Require Statement in PHP.", "risk_and_exploitability": "The CVSS score is not publicly disclosed, but Local File Inclusion typically scores medium to high because of the potential for remote code execution. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed public exploits yet. An attacker can trigger the flaw through a crafted HTTP request to the theme\u2019s PHP endpoints, presumably without prior authentication. Prompt patching is advised, especially for sites that allow file uploads or custom PHP execution."}}}}, "created": "2026-03-25T21:35:22.692536+00:00", "updated": "2026-03-26T11:40:37.230365+00:00", "vendors": ["ancorathemes", "ancorathemes$PRODUCT$hypnotherapy", "wordpress", "wordpress$PRODUCT$wordpress"]}