{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22504", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:30.743Z", "datePublished": "2026-03-25T16:14:25.040Z", "dateUpdated": "2026-03-25T16:14:25.040Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "prolingua", "product": "ProLingua", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "<= 1.1.12", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:07.660Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX ProLingua prolingua allows PHP Local File Inclusion.<p>This issue affects ProLingua: from n/a through <= 1.1.12.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX ProLingua prolingua allows PHP Local File Inclusion.This issue affects ProLingua: from n/a through <= 1.1.12."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:25.040Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/prolingua/vulnerability/wordpress-prolingua-theme-1-1-12-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress ProLingua theme <= 1.1.12 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX ProLingua prolingua allows PHP Local File Inclusion.This issue affects ProLingua: from n/a through <= 1.1.12."}], "id": "CVE-2026-22504", "lastModified": "2026-03-25T17:16:32.470", "metrics": {}, "published": "2026-03-25T17:16:32.470", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/prolingua/vulnerability/wordpress-prolingua-theme-1-1-12-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:18:41.245421+00:00", "value": {"mitigation_remediation": ["Upgrade the ProLingua theme to a version newer than 1.1.12.", "If an immediate upgrade is not feasible, configure the web server to block execution of files in any theme directories that store user-controllable filenames.", "Review the theme\u2019s code for any unsanitized filename parameters and apply input validation or whitelisting before include/require.", "Regularly check ThemeREX\u2019s release notes and security advisories for updates."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "ThemeREX ProLingua WordPress theme versions up to and including 1.1.12 are impacted. WordPress sites that have installed any of these versions of the theme are potentially vulnerable. No specific operating system or WordPress core version is cited, so the flaw applies to all environments running the affected theme.", "description_and_impact": "A flaw in the ProLingua WordPress theme allows an attacker to supply a filename that is passed to PHP include or require without proper validation. This results in Local File Inclusion, giving read access to arbitrary files on the web server. The vulnerability is classified as CWE-98, indicating improper control of filename for include or require. It can reveal sensitive configuration or code files and may serve as a foothold for further compromise.", "risk_and_exploitability": "The CVSS base score is not publicly disclosed, and EPSS data is unavailable, which limits precise quantification of severity. Nonetheless, Local File Inclusion is generally considered high risk because it can expose confidential data or be leveraged for additional attacks. The vulnerability is not listed in CISA\u2019s KEV catalog, indicating no known widespread exploitation. The attack vector is inferred to be local file inclusion via crafted requests targeting the theme\u2019s file inclusion logic, requiring attacker control over a filename parameter that the theme passes to PHP include or require."}}}}, "created": "2026-03-25T21:35:16.953505+00:00", "updated": "2026-03-25T21:35:16.953531+00:00", "vendors": []}