{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22513", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:36.068Z", "datePublished": "2026-03-25T16:14:27.447Z", "dateUpdated": "2026-03-25T16:14:27.447Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "triompher", "product": "Triompher", "vendor": "AncoraThemes", "versions": [{"lessThanOrEqual": "<= 1.1.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:10.786Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Triompher triompher allows PHP Local File Inclusion.<p>This issue affects Triompher: from n/a through <= 1.1.0.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Triompher triompher allows PHP Local File Inclusion.This issue affects Triompher: from n/a through <= 1.1.0."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:27.447Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/triompher/vulnerability/wordpress-triompher-theme-1-1-0-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Triompher theme <= 1.1.0 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Triompher triompher allows PHP Local File Inclusion.This issue affects Triompher: from n/a through <= 1.1.0."}], "id": "CVE-2026-22513", "lastModified": "2026-03-25T17:16:33.687", "metrics": {}, "published": "2026-03-25T17:16:33.687", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/triompher/vulnerability/wordpress-triompher-theme-1-1-0-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:49:54.579424+00:00", "value": {"mitigation_remediation": ["Upgrade the Triompher theme to a version later than 1.1.0 or apply an official vendor patch if available.", "If an upgrade is not immediately possible, remove or deactivate the Triompher theme and switch to a trusted alternative.", "Verify that input parameters used in include or require statements are properly validated against a whitelist and that file paths are not directly derived from user input."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion leading to potential data disclosure or code execution"}, "threat_synthesis": {"affected_systems": "The flaw exists in the AncoraThemes Triompher WordPress theme, affecting all releases from the initial version through 1.1.0. Any WordPress site that has installed a vulnerable version of this theme is susceptible. The vulnerability is tied to the theme's PHP files that process user-supplied parameters without validating or sanitizing the filename.", "description_and_impact": "The vulnerability arises from improper handling of filename inputs in a PHP include/require statement within the Triompher theme. An attacker can supply a crafted path to read arbitrary files located on the web server. If the chosen file contains PHP code, adding it to the include chain may allow code execution. This can lead to disclosure of sensitive configuration information, credentials, or further compromise of the WordPress installation, and could result in complete site takeover.", "risk_and_exploitability": "The CVSS base score is not listed, and no EPSS data are available. However, Local File Inclusion is known to have a high exploitation potential when the attacker can influence input values. Because the flaw allows reading of local files, attackers with access to the web application can verify and exploit it. The fact that the issue is not tracked in the CISA KEV catalog suggests that no widespread public exploitation has been observed yet, but the risk remains high for sites still running a vulnerable theme. Admins should apply any available updates or mitigations as soon as possible."}}}}, "created": "2026-03-25T21:35:07.329740+00:00", "updated": "2026-03-25T21:35:07.329770+00:00", "vendors": []}