Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hypnotherapy hypnotherapy allows PHP Local File Inclusion.This issue affects Hypnotherapy: from n/a through <= 1.2.10.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion with potential to execute arbitrary code
Action: Immediate Patch
AI Analysis

Impact

AncoraThemes Hypnotherapy theme up to version 1.2.10 contains an improper control of filenames in PHP include/require statements. This flaw allows an attacker to specify paths that bypass the intended constraints, enabling the inclusion of local files. If the included file contains PHP code, the attacker can achieve remote code execution. The weakness aligns with CWE‑98.

Affected Systems

WordPress sites using AncoraThemes Hypnotherapy theme versions from any version through 1.2.10 are affected. The issue persists on all installations that have not upgraded past version 1.2.10.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, and the EPSS score of less than 1% suggests low likelihood of current exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, reducing immediate risk exposure. The likely attack vector is local, requiring an attacker to trigger the vulnerable code path on the hosted WordPress instance, possibly through crafted requests or file uploads that invoke the flawed include logic.

Generated by OpenCVE AI on March 26, 2026 at 20:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update AncoraThemes Hypnotherapy theme to version 1.2.11 or later.

Generated by OpenCVE AI on March 26, 2026 at 20:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes hypnotherapy
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes hypnotherapy
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hypnotherapy hypnotherapy allows PHP Local File Inclusion.This issue affects Hypnotherapy: from n/a through <= 1.2.10.
Title WordPress Hypnotherapy theme <= 1.2.10 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Hypnotherapy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:55:58.044Z

Reserved: 2026-01-07T13:44:30.742Z

Link: CVE-2026-22496

cve-icon Vulnrichment

Updated: 2026-03-26T18:26:33.316Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:31.643

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-22496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:50Z

Weaknesses