{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22498", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:30.742Z", "datePublished": "2026-03-25T16:14:23.933Z", "dateUpdated": "2026-03-25T16:14:23.933Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "laurent", "product": "Laurent", "vendor": "Elated-Themes", "versions": [{"lessThanOrEqual": "<= 3.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:06.151Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion.<p>This issue affects Laurent: from n/a through <= 3.1.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion.This issue affects Laurent: from n/a through <= 3.1."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:23.933Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/laurent/vulnerability/wordpress-laurent-theme-3-1-local-file-inclusion-vulnerability-2?_s_id=cve"}], "title": "WordPress Laurent theme <= 3.1 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion.This issue affects Laurent: from n/a through <= 3.1."}], "id": "CVE-2026-22498", "lastModified": "2026-03-25T17:16:31.783", "metrics": {}, "published": "2026-03-25T17:16:31.783", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/laurent/vulnerability/wordpress-laurent-theme-3-1-local-file-inclusion-vulnerability-2?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "laurent", "vendor": "elated-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:20:04.756994+00:00", "value": {"mitigation_remediation": ["Update the Laurent theme to a version newer than 3.1 that removes the file inclusion flaw.", "If an update is not immediately available, deactivate the Laurent theme until a patch can be applied.", "As a temporary safeguard, limit or remove any functionality that allows the theme to include arbitrary files, and enable PHP hardening settings such as disabling allow_url_include.", "Consult the vendor\u2019s website for a specific fix or advisory if one has been released."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion (potential code execution)"}, "threat_synthesis": {"affected_systems": "All versions of the Laurent theme up to and including 3.1 are affected. Any WordPress site that has an Elated\u2011Themes Laurent theme of version 3.1 or earlier is therefore vulnerable.", "description_and_impact": "The Laurent WordPress theme from Elated\u2011Themes contains a flaw where filenames for PHP include or require statements are not properly validated. This allows an attacker to supply a crafted value that causes the theme to include an arbitrary local file. The injected file may be read as a normal file or, if it contains PHP code, executed on the server. The weakness falls under CWE\u201198, Improper Control of Filename for Include/Require Statement. ", "risk_and_exploitability": "An attacker who can influence the input used by the theme can trigger inclusion of local files. If the included file contains PHP, the attacker could run arbitrary code on the host. The CVSS score is not publicly disclosed, and no EPSS metric is available, so the probability of exploitation cannot be quantified from this data. The vulnerability is exploitable through the normal web interface of a WordPress site that has the Laurent theme active and does not require special privileges beyond the ability to send crafted requests to the server."}}}}, "created": "2026-03-25T21:35:21.658501+00:00", "updated": "2026-03-26T11:40:36.287288+00:00", "vendors": ["elated-themes", "elated-themes$PRODUCT$laurent", "wordpress", "wordpress$PRODUCT$wordpress"]}