Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Wizor's wizors-investments allows PHP Local File Inclusion.This issue affects Wizor's: from n/a through <= 2.12.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch Now
AI Analysis

Impact

An improper control of filenames in PHP include/require statements allows an attacker to include arbitrary files located within the WordPress installation. For the AncoraThemes Wizor's theme, the flaw appears up to version 2.12, enabling local file inclusion that could expose sensitive configuration files, user data, or allow execution of malicious PHP scripts. This compromises confidentiality and could lead to remote code execution on the affected server.

Affected Systems

All WordPress sites that are running the Wizor's wizors-investments theme version 2.12 or earlier are affected. The vulnerability does not depend on a specific WordPress core version and applies to any installation where the theme is active.

Risk and Exploitability

The CVSS v3 score of 8.1 reflects high severity, while the EPSS score of less than 1% indicates a low likelihood of automated exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the typical attack vector would involve sending a crafted HTTP request that supplies a malicious filename to the vulnerable include statement, thereby exposing internal files or injecting code. Sites that allow such requests would be susceptible.

Generated by OpenCVE AI on March 26, 2026 at 21:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wizor's theme to a version newer than 2.12
  • If an upgrade is not possible, disable or uninstall the theme to prevent the vulnerable code from executing
  • If the theme relies on child themes, remove or modify any child code that performs unchecked file inclusion
  • Check the theme developer's website or support channels for future updates or patches

Generated by OpenCVE AI on March 26, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes wizor's
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes wizor's
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Wizor's wizors-investments allows PHP Local File Inclusion.This issue affects Wizor's: from n/a through <= 2.12.
Title WordPress Wizor's theme <= 2.12 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Wizor's
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:45:53.537Z

Reserved: 2026-01-07T13:44:43.225Z

Link: CVE-2026-22516

cve-icon Vulnrichment

Updated: 2026-03-26T18:26:00.146Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:34.090

Modified: 2026-04-24T16:32:53.997

Link: CVE-2026-22516

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:34Z

Weaknesses