{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27048", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:23:18.876Z", "datePublished": "2026-03-25T16:14:53.467Z", "dateUpdated": "2026-03-25T16:14:53.467Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "theaisle-core", "product": "The Aisle Core", "vendor": "Elated-Themes", "versions": [{"lessThanOrEqual": "<= 2.0.5", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:32.284Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes The Aisle Core theaisle-core allows PHP Local File Inclusion.<p>This issue affects The Aisle Core: from n/a through <= 2.0.5.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes The Aisle Core theaisle-core allows PHP Local File Inclusion.This issue affects The Aisle Core: from n/a through <= 2.0.5."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:53.467Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/theaisle-core/vulnerability/wordpress-the-aisle-core-plugin-2-0-5-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress The Aisle Core plugin <= 2.0.5 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes The Aisle Core theaisle-core allows PHP Local File Inclusion.This issue affects The Aisle Core: from n/a through <= 2.0.5."}], "id": "CVE-2026-27048", "lastModified": "2026-03-25T17:16:54.130", "metrics": {}, "published": "2026-03-25T17:16:54.130", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/theaisle-core/vulnerability/wordpress-the-aisle-core-plugin-2-0-5-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "The Aisle Core", "source": "cna", "vendor": "Elated-Themes"}, "product": "the_aisle_core", "vendor": "elated-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T19:27:20.983768+00:00", "value": {"mitigation_remediation": ["Update the Aisle Core plugin to a version newer than 2.0.5", "Verify the installed plugin version on the WordPress admin to ensure it is no longer one of the vulnerable releases", "Control file permissions so that the web server user cannot read sensitive files such as wp-config.php", "Monitor the site for any anomalous file requests or read activity"], "summary": {"action": "Apply Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Aisle Core plugin distributed by Elated\u2011Themes. All plugin releases from the first available version up through 2.0.5 are susceptible. Any WordPress installation running one of these versions is exposed.", "description_and_impact": "Improper handling of filenames in PHP include/require calls enables a local file inclusion flaw in the Elated\u2011Themes Aisle Core WordPress plugin. By supplying a crafted filename, an attacker can cause the plugin to read arbitrary files from the server\u2019s filesystem. The most direct consequence is the disclosure of sensitive data such as configuration files, potentially exposing database credentials or other confidential information.", "risk_and_exploitability": "No CVSS or EPSS metrics are provided, so the exact severity cannot be quantified here. Exploitation likely requires remote access to the WordPress site via a crafted HTTP request that manipulates a query parameter or form field processed by the plugin. Once triggered, the attacker can read any file the web server user can access, leading to disclosure of sensitive data and possible compromise of the site. The risk level depends on the host\u2019s configuration and the sensitivity of files accessible by the web process."}}}}, "created": "2026-03-25T21:44:08.677706+00:00", "updated": "2026-03-26T11:38:05.186223+00:00", "vendors": ["elated-themes", "elated-themes$PRODUCT$the_aisle_core", "wordpress", "wordpress$PRODUCT$wordpress"]}