{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22499", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:30.743Z", "datePublished": "2026-03-25T16:14:24.098Z", "dateUpdated": "2026-03-25T16:14:24.098Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "lella", "product": "Lella", "vendor": "Elated-Themes", "versions": [{"lessThanOrEqual": "<= 1.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:06.469Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Lella lella allows PHP Local File Inclusion.<p>This issue affects Lella: from n/a through <= 1.2.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Lella lella allows PHP Local File Inclusion.This issue affects Lella: from n/a through <= 1.2."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:24.098Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/lella/vulnerability/wordpress-lella-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Lella theme <= 1.2 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Lella lella allows PHP Local File Inclusion.This issue affects Lella: from n/a through <= 1.2."}], "id": "CVE-2026-22499", "lastModified": "2026-03-25T17:16:31.917", "metrics": {}, "published": "2026-03-25T17:16:31.917", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/lella/vulnerability/wordpress-lella-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "lella", "vendor": "elated-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:19:50.235928+00:00", "value": {"mitigation_remediation": ["Upgrade the Lella theme to a version newer than 1.2.", "If an upgrade cannot be performed immediately, remove or disable any plugins or custom code that allows user\u2011controlled file inclusions in the theme.", "Apply web application firewall rules to block suspicious include paths and validate that include/require statements do not accept untrusted input.", "Verify that file permissions on the server restrict read/write access to sensitive files and directories."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Elated-Themes Lella theme version 1.2 or earlier are affected. Any installation of this theme that has not been upgraded beyond version 1.2 is vulnerable.", "description_and_impact": "The vulnerability occurs because the Elated-Themes Lella theme does not properly control the filename used in PHP include/require statements, a flaw identified as PHP Remote File Inclusion. As a result, an attacker who can influence the file path can load arbitrary local files. The attacker could read sensitive configuration files, access user credentials, or execute malicious PHP code if a writable file is included, thereby compromising confidentiality, integrity, and potentially availability of the WordPress site.", "risk_and_exploitability": "The CVSS score is not provided in the CVE entry, but Local File Inclusion is generally considered a high\u2011risk vulnerability. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is web\u2011based, requiring access to a publicly exposed WordPress endpoint that processes the vulnerable include logic. Depending on the file permissions and the files an attacker can read or execute, the impact could range from simple data disclosure to full site compromise."}}}}, "created": "2026-03-25T21:35:20.717724+00:00", "updated": "2026-03-26T11:40:35.426900+00:00", "vendors": ["elated-themes", "elated-themes$PRODUCT$lella", "wordpress", "wordpress$PRODUCT$wordpress"]}