Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Unica unica allows PHP Local File Inclusion.This issue affects Unica: from n/a through <= 1.4.1.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The Unica theme for WordPress contains an improper control of filename for include/require statements, enabling a local file inclusion flaw. Based on the description, it is inferred that a remote user could supply a crafted path to cause the theme to read or include arbitrary files on the server. If such a file contains PHP code, this could lead to remote code execution, potentially exposing confidential data and compromising site integrity.

Affected Systems

AncoraThemes Unica theme, used on WordPress installations, is affected from its initial release up through version 1.4.1. Any site running a version of Unica older than or equal to 1.4.1 is vulnerable.

Risk and Exploitability

The CVSS score of 8.1 marks this as a high severity vulnerability. The EPSS score is below 1%, indicating low current exploitation probability but the risk remains high if an attacker finds a use case. The vulnerability is not listed in CISA's KEV catalog. Attackers likely target the vulnerability via HTTP requests to the WordPress site, exploiting the theme's inclusion logic. Exploitation requires the ability to influence the include path; once achieved, the attacker could read sensitive files or execute arbitrary code, depending on the server configuration.

Generated by OpenCVE AI on March 26, 2026 at 20:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest AncoraThemes Unica theme update, which removes the local file inclusion flaw.
  • Verify that the theme version is now greater than 1.4.1 after the upgrade.
  • If an immediate update is not possible, disable the Unica theme or replace it with a secure alternative until a patch is applied.
  • As an additional defensive measure, restrict file inclusion by configuring PHP to disallow arbitrary file paths and whitelist allowed directories.

Generated by OpenCVE AI on March 26, 2026 at 20:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes unica
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes unica
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Unica unica allows PHP Local File Inclusion.This issue affects Unica: from n/a through <= 1.4.1.
Title WordPress Unica theme <= 1.4.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Unica
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:45:53.883Z

Reserved: 2026-01-07T13:44:36.068Z

Link: CVE-2026-22514

cve-icon Vulnrichment

Updated: 2026-03-26T18:26:04.727Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:33.823

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-22514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:36Z

Weaknesses