Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Mr. Cobbler mr-cobbler allows PHP Local File Inclusion.This issue affects Mr. Cobbler: from n/a through <= 1.1.9.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

AncoraThemes Mr. Cobbler theme contains an improper control of the filename passed to a PHP include/require statement. This flaw permits a local file inclusion, letting an attacker read arbitrary files on the server and, if a PHP script is included, execute arbitrary code. The vulnerability is classified as CWE-98 and carries a high CVSS score of 8.1, underscoring its potential impact on confidentiality, integrity, and availability.

Affected Systems

Every WordPress site that uses the Mr. Cobbler theme version 1.1.9 or earlier is affected. The issue applies to all releases from the initial release up to and including 1.1.9. Only AncoraThemes supplies the theme, but all sites deploying it regardless of hosting environment are vulnerable.

Risk and Exploitability

The vulnerability's CVSS base score of 8.1 indicates a serious risk. An EPSS score below 1 % suggests a low current exploitation probability, and it is not listed in the CISA KEV catalog. The likely attack vector is through a user-controlled request that supplies a file path to the theme; the CVE description infers that this can be triggered via an improperly validated parameter or template file. Exploitation would require access to such a request and the ability to influence the included path.

Generated by OpenCVE AI on March 26, 2026 at 21:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Mr. Cobbler theme to version 1.2.0 or later
  • If an immediate update cannot be performed, deactivate the Mr. Cobbler theme until a fix is released

Generated by OpenCVE AI on March 26, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes mr. Cobbler
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes mr. Cobbler
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Mr. Cobbler mr-cobbler allows PHP Local File Inclusion.This issue affects Mr. Cobbler: from n/a through <= 1.1.9.
Title WordPress Mr. Cobbler theme <= 1.1.9 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Mr. Cobbler
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:55:57.286Z

Reserved: 2026-01-07T13:44:30.743Z

Link: CVE-2026-22502

cve-icon Vulnrichment

Updated: 2026-03-26T18:26:26.268Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:32.197

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-22502

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:47Z

Weaknesses