{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22502", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:30.743Z", "datePublished": "2026-03-25T16:14:24.505Z", "dateUpdated": "2026-03-26T18:31:41.739Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "mr-cobbler", "product": "Mr. Cobbler", "vendor": "AncoraThemes", "versions": [{"lessThanOrEqual": "<= 1.1.9", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:07.092Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Mr. Cobbler mr-cobbler allows PHP Local File Inclusion.<p>This issue affects Mr. Cobbler: from n/a through <= 1.1.9.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Mr. Cobbler mr-cobbler allows PHP Local File Inclusion.This issue affects Mr. Cobbler: from n/a through <= 1.1.9."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:24.505Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/mr-cobbler/vulnerability/wordpress-mr-cobbler-theme-1-1-9-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Mr. Cobbler theme <= 1.1.9 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22502", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T18:24:56.200480Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:31:41.739Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22502", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T18:24:56.200480Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:26:26.268Z"}}], "cna": {"title": "WordPress Mr. Cobbler theme <= 1.1.9 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "affected": [{"vendor": "AncoraThemes", "product": "Mr. Cobbler", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.1.9"}], "packageName": "mr-cobbler", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:07.092Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/mr-cobbler/vulnerability/wordpress-mr-cobbler-theme-1-1-9-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Mr. Cobbler mr-cobbler allows PHP Local File Inclusion.This issue affects Mr. Cobbler: from n/a through <= 1.1.9.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Mr. Cobbler mr-cobbler allows PHP Local File Inclusion.<p>This issue affects Mr. Cobbler: from n/a through <= 1.1.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:24.505Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22502", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:31:41.739Z", "dateReserved": "2026-01-07T13:44:30.743Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:24.505Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Mr. Cobbler mr-cobbler allows PHP Local File Inclusion.This issue affects Mr. Cobbler: from n/a through <= 1.1.9."}, {"lang": "es", "value": "Vulnerabilidad de control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en programa PHP ('Inclusi\u00f3n remota de ficheros PHP') en AncoraThemes Mr. Cobbler mr-cobbler permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Mr. Cobbler: desde n/a hasta &lt;= 1.1.9."}], "id": "CVE-2026-22502", "lastModified": "2026-03-26T19:16:34.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:32.197", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/mr-cobbler/vulnerability/wordpress-mr-cobbler-theme-1-1-9-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Mr. Cobbler", "source": "cna", "vendor": "AncoraThemes"}, "product": "mr._cobbler", "vendor": "ancorathemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T18:18:57.470660+00:00", "value": {"mitigation_remediation": ["Update the Mr. Cobbler theme to any release newer than version 1.1.9.", "If an update cannot be applied immediately, disable the theme or move it out of the active themes folder to prevent execution of its code.", "Restrict file permissions on the theme directory so that sensitive files cannot be read, and configure the web server to block direct access to PHP source files.", "Continuously monitor the site for suspicious file inclusion attempts or unauthorized file modifications."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion potentially enabling remote code execution"}, "threat_synthesis": {"affected_systems": "The issue affects the AncoraThemes Mr. Cobbler WordPress theme from the earliest release through version 1.1.9. Any WordPress installation that has this theme active is susceptible.", "description_and_impact": "An improper validation of filenames used in PHP include/require statements in the AncoraThemes Mr. Cobbler WordPress theme allows an attacker to specify arbitrary file paths. This local file inclusion flaw can expose sensitive configuration files or, if a writable file is targeted, can be leveraged to execute arbitrary code. The vulnerability directly impacts confidentiality, integrity, and availability of the affected WordPress site.", "risk_and_exploitability": "The CVSS score and EPSS value are not disclosed, and the theme is not listed in the CISA KEV catalog. The CWE\u201198 classification indicates a high\u2011risk weakness and the lack of an available patch suggests a substantial potential for exploitation. The likely attack vector is an attacker who can influence the include path\u2014most probably via a URL parameter or file upload\u2014can read local files or gain code execution on the server. Without mitigation, vulnerable sites remain at significant risk."}}}}, "created": "2026-03-25T21:35:18.773646+00:00", "updated": "2026-03-26T11:40:33.077625+00:00", "vendors": ["ancorathemes", "ancorathemes$PRODUCT$mr._cobbler", "wordpress", "wordpress$PRODUCT$wordpress"]}