Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Gioia gioia allows PHP Local File Inclusion.This issue affects Gioia: from n/a through <= 1.4.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The vulnerability stems from an improper control of the filename used in an include or require statement within the Gioia theme. This flaw enables loading of unintended local files, potentially exposing sensitive configuration data or executing arbitrary PHP code if a crafted file is included. The resulting compromise could lead to disclosure of confidential information or a full compromise of the website if remote code execution becomes possible through the included file.

Affected Systems

The vulnerability impacts the Elated‑Themes Gioia WordPress theme at all versions up to and including 1.4. Any WordPress installation that still uses a Gioia theme version 1.4 or earlier is potentially exposed.

Risk and Exploitability

The CVSS score of 8.1 indicates a high risk to confidentiality, integrity, and availability. The EPSS score of less than 1% suggests current exploitation rates are low, and the issue is not listed in the CISA KEV catalog. The attack vector is likely local file inclusion, as indicated by the description, but the specific required conditions are not explicitly stated and are inferred from standard LFI behavior.

Generated by OpenCVE AI on March 26, 2026 at 20:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Gioia theme to version 1.5 or later
  • If an update is unavailable, remove or deactivate the Gioia theme
  • Apply server‑side file‑access controls to prevent unauthorized local includes
  • If necessary, apply a custom patch that validates or sanitizes include paths before use

Generated by OpenCVE AI on March 26, 2026 at 20:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes gioia
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes gioia
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Gioia gioia allows PHP Local File Inclusion.This issue affects Gioia: from n/a through <= 1.4.
Title WordPress Gioia theme <= 1.4 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Elated-themes Gioia
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T18:31:41.111Z

Reserved: 2026-01-07T13:44:36.068Z

Link: CVE-2026-22509

cve-icon Vulnrichment

Updated: 2026-03-26T18:26:13.653Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:33.143

Modified: 2026-03-30T13:27:35.820

Link: CVE-2026-22509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:40Z

Weaknesses