{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22503", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:30.743Z", "datePublished": "2026-03-25T16:14:24.784Z", "dateUpdated": "2026-03-25T16:14:24.784Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "nelson", "product": "Nelson", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "<= 1.2.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:07.360Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Nelson nelson allows PHP Local File Inclusion.<p>This issue affects Nelson: from n/a through <= 1.2.0.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Nelson nelson allows PHP Local File Inclusion.This issue affects Nelson: from n/a through <= 1.2.0."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:24.784Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/nelson/vulnerability/wordpress-nelson-theme-1-2-0-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Nelson theme <= 1.2.0 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Nelson nelson allows PHP Local File Inclusion.This issue affects Nelson: from n/a through <= 1.2.0."}], "id": "CVE-2026-22503", "lastModified": "2026-03-25T17:16:32.333", "metrics": {}, "published": "2026-03-25T17:16:32.333", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/nelson/vulnerability/wordpress-nelson-theme-1-2-0-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:24:38.217434+00:00", "value": {"mitigation_remediation": ["Update the ThemeREX Nelson WordPress theme to the latest release, ensuring the version is above 1.2.0."], "summary": {"action": "Apply Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "All installations of the ThemeREX Nelson WordPress theme from the earliest release through version 1.2.0 are vulnerable. No other products or vendors are listed as affected.", "description_and_impact": "An improper control of the filename used in a PHP include or require statement allows the ThemeREX Nelson WordPress theme to read arbitrary files from the server or execute malicious code if an attacker can point the include to a crafted PHP file. This flaw can expose sensitive configuration data, database credentials, and system files, and could lead to remote code execution, compromising confidentiality, integrity, and availability of the affected website.", "risk_and_exploitability": "The vulnerability is exploitable via a web request that supplies a filename parameter to the theme\u2019s processing code. Attackers with internet access to the site could trigger the vulnerable inclusion, potentially achieving command execution if a malicious file is supplied. While the CVSS score is not provided, the high potential for remote code execution makes the risk severe. EPSS data is unavailable and the flaw is not listed in the CISA KEV catalog, but the publicly accessible attack vector warrants prompt remediation."}}}}, "created": "2026-03-25T21:35:17.861205+00:00", "updated": "2026-03-25T21:35:17.861228+00:00", "vendors": []}