{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25464", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:59.641Z", "datePublished": "2026-03-25T16:14:51.623Z", "dateUpdated": "2026-03-25T16:14:51.623Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "jannah", "product": "Jannah", "vendor": "TieLabs", "versions": [{"lessThanOrEqual": "<= 7.6.3", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ananda Dhakal (Patchstack)"}], "datePublic": "2026-03-25T17:12:30.767Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion.<p>This issue affects Jannah: from n/a through <= 7.6.3.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion.This issue affects Jannah: from n/a through <= 7.6.3."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:51.623Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/jannah/vulnerability/wordpress-jannah-theme-7-6-3-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Jannah theme <= 7.6.3 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion.This issue affects Jannah: from n/a through <= 7.6.3."}], "id": "CVE-2026-25464", "lastModified": "2026-03-25T17:16:52.563", "metrics": {}, "published": "2026-03-25T17:16:52.563", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/jannah/vulnerability/wordpress-jannah-theme-7-6-3-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:28:24.560000+00:00", "value": {"mitigation_remediation": ["Verify the current Jannah theme version on your WordPress installation.", "Upgrade to a Jannah theme release newer than version 7.6.3 from the official source.", "If an upgrade cannot be performed immediately, disable or remove the vulnerable theme.", "Ensure WordPress core, plugins, and other themes are up to date.", "Monitor vendor advisories for updates."], "summary": {"action": "Patch Theme", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The flaw is present in all versions of the Jannah theme released by TieLabs up to and including version 7.6.3. Any WordPress site that has installed Jannah 7.6.3 or earlier is vulnerable, and administrators should verify their installed theme version and plan an upgrade.", "description_and_impact": "The vulnerability arises from improper validation of a filename used in PHP include/require statements within the TieLabs Jannah WordPress theme. It allows an attacker who can control the filename parameter to cause the theme to include arbitrary local files from the server, potentially exposing sensitive configuration files or, if a PHP file is included, enabling code execution. The weakness aligns with CWE-98: Improper Control of Filename for Include/Require Statement.", "risk_and_exploitability": "EPSS data is not available and the vulnerability is not listed in CISA\u2019s KEV catalog, but this does not reduce the potential impact. Based on the description, it is inferred that the vulnerability can be triggered through an HTTP request that supplies a malicious filename; authentication is not explicitly required. Attackers could read arbitrary local files and, if a PHP file is included, potentially execute code, which could lead to complete site compromise. Accordingly, the risk is considered high for affected installations."}}}}, "created": "2026-03-25T21:44:17.244175+00:00", "updated": "2026-03-25T21:44:17.244209+00:00", "vendors": []}