{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22506", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:36.067Z", "datePublished": "2026-03-25T16:14:25.621Z", "dateUpdated": "2026-03-25T16:14:25.621Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "amoli", "product": "Amoli", "vendor": "Elated-Themes", "versions": [{"lessThanOrEqual": "<= 1.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:08.668Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Amoli amoli allows PHP Local File Inclusion.<p>This issue affects Amoli: from n/a through <= 1.0.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Amoli amoli allows PHP Local File Inclusion.This issue affects Amoli: from n/a through <= 1.0."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:25.621Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/amoli/vulnerability/wordpress-amoli-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Amoli theme <= 1.0 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Amoli amoli allows PHP Local File Inclusion.This issue affects Amoli: from n/a through <= 1.0."}], "id": "CVE-2026-22506", "lastModified": "2026-03-25T17:16:32.737", "metrics": {}, "published": "2026-03-25T17:16:32.737", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/amoli/vulnerability/wordpress-amoli-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:31:30.822796+00:00", "value": {"mitigation_remediation": ["Update the Amoli theme to a version newer than 1.0.", "If no update is available, consider disabling or removing the theme from the WordPress installation.", "Apply a web application firewall rule that blocks path traversal attempts targeting the theme\u2019s inclusion points.", "Restrict file permissions on the WordPress installation so that the web server process cannot read sensitive configuration files."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Elated\u2011Themes Amoli theme for WordPress, in versions 1.0 and all earlier releases. Sites that have installed this theme must verify their version and consider applying an update or disabling the theme.", "description_and_impact": "The Amoli theme for WordPress contains an improper control of the filename in PHP include/require statements, allowing an attacker to influence the path used by the application. This flaw permits the server to read or execute arbitrary files present on the system, compromising confidentiality and integrity of server files. The weakness is classified as a local file inclusion vulnerability.", "risk_and_exploitability": "No CVSS or EPSS score is provided, but local file inclusion is regarded as high risk because it can expose sensitive data and enable further exploitation. The attack vector is inferred to be a crafted HTTP request that manipulates a parameter used in a vulnerable include/require call within the theme. Exploitation requires access to the exposed endpoint; no additional prerequisites are noted."}}}}, "created": "2026-03-25T21:35:14.370361+00:00", "updated": "2026-03-25T21:35:14.370413+00:00", "vendors": []}