Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes VegaDays vegadays allows PHP Local File Inclusion.This issue affects VegaDays: from n/a through <= 1.2.0.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Update Theme
AI Analysis

Impact

An improper control of the filename used in PHP include/require statements within the VegaDays WordPress theme allows an attacker to manipulate the path and include arbitrary local files. This local file inclusion flaw could enable the disclosure of sensitive files such as configuration files or, in some configurations, execution of arbitrary PHP code. The vulnerability is associated with CWE-98.

Affected Systems

AncoraThemes' VegaDays WordPress theme is affected, specifically all releases up to and including version 1.2.0. Users running these versions are susceptible to the described local file inclusion flaw.

Risk and Exploitability

The flaw carries a high CVSS score of 8.1, indicating significant potential impact if exploited. However, the overall probability of exploitation is low, with an EPSS score below 1% and no current listing in CISA's KEV catalog. Attackers can most likely exploit the vulnerability remotely through crafted HTTP requests that manipulate inclusion parameters, although the exact trigger depends on the theme's implementation. Until a patch is applied, this remains a relevant risk for exposed sites.

Generated by OpenCVE AI on March 26, 2026 at 20:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the VegaDays theme to a version newer than 1.2.0
  • Disable the VegaDays theme until a patch is available

Generated by OpenCVE AI on March 26, 2026 at 20:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes vegadays
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes vegadays
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes VegaDays vegadays allows PHP Local File Inclusion.This issue affects VegaDays: from n/a through <= 1.2.0.
Title WordPress VegaDays theme <= 1.2.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Vegadays
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:45:53.718Z

Reserved: 2026-01-07T13:44:43.225Z

Link: CVE-2026-22515

cve-icon Vulnrichment

Updated: 2026-03-26T18:26:02.559Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:33.953

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-22515

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:35Z

Weaknesses