Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Apollo | Night Club, DJ Event WordPress Theme apollo allows PHP Local File Inclusion.This issue affects Apollo | Night Club, DJ Event WordPress Theme: from n/a through <= 1.3.1.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion with potential for remote code execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability arises from improper control of filenames passed to PHP include/require statements in the AncoraThemes Apollo WordPress theme. An attacker who can influence the filename path can direct the application to read arbitrary local files or, if writeable, execute malicious PHP code. This flaw is rated CVSS 8.1, indicating a high risk of compromising confidentiality, integrity, or availability of the affected site.

Affected Systems

The flaw affects all installations of the Apollo | Night Club, DJ Event WordPress Theme from the first release through version 1.3.1. The targeted product is maintained by AncoraThemes and is used by WordPress sites that have installed this theme.

Risk and Exploitability

The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting low current exploitation probability. However, exploitation would likely occur via an HTTP request that supplies a crafted filename parameter to the theme’s include logic. No authentication or elevated privileges are required, which increases the threat surface for attackers on exposed sites.

Generated by OpenCVE AI on April 16, 2026 at 05:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Apollo theme to the latest version released by AncoraThemes, if an update that addresses the LFI flaw is available.
  • If an immediate upgrade is impractical, modify the theme to restrict include paths to a whitelist and perform strict validation of any filename input before inclusion.
  • Disable file editing and restrict the upload of PHP files through the WordPress admin interface to prevent malicious file deployment.

Generated by OpenCVE AI on April 16, 2026 at 05:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes apollo | Night Club, Dj Event Wordpress Theme
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes apollo | Night Club, Dj Event Wordpress Theme
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Apollo | Night Club, DJ Event WordPress Theme apollo allows PHP Local File Inclusion.This issue affects Apollo | Night Club, DJ Event WordPress Theme: from n/a through <= 1.3.1.
Title WordPress Apollo | Night Club, DJ Event WordPress Theme theme <= 1.3.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Apollo | Night Club, Dj Event Wordpress Theme
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:09.065Z

Reserved: 2026-02-19T09:51:35.296Z

Link: CVE-2026-27340

cve-icon Vulnrichment

Updated: 2026-03-09T17:41:04.344Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:24.627

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-27340

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:15:25Z

Weaknesses