{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32500", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:07.663Z", "datePublished": "2026-03-25T16:15:00.649Z", "dateUpdated": "2026-03-25T16:15:00.649Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "metamax", "product": "MetaMax", "vendor": "CreativeWS", "versions": [{"changes": [{"at": "1.1.5", "status": "unaffected"}], "lessThanOrEqual": "<= 1.1.4", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:38.240Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS MetaMax metamax allows PHP Local File Inclusion.<p>This issue affects MetaMax: from n/a through <= 1.1.4.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS MetaMax metamax allows PHP Local File Inclusion.This issue affects MetaMax: from n/a through <= 1.1.4."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:00.649Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/metamax/vulnerability/wordpress-metamax-theme-1-1-4-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress MetaMax theme <= 1.1.4 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS MetaMax metamax allows PHP Local File Inclusion.This issue affects MetaMax: from n/a through <= 1.1.4."}], "id": "CVE-2026-32500", "lastModified": "2026-03-25T17:17:01.950", "metrics": {}, "published": "2026-03-25T17:17:01.950", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/metamax/vulnerability/wordpress-metamax-theme-1-1-4-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MetaMax", "source": "cna", "vendor": "CreativeWS"}, "product": "metamax", "vendor": "creativews"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T21:05:47.253091+00:00", "value": {"mitigation_remediation": ["Upgrade CreativeWS MetaMax theme to a version newer than 1.1.4 on all affected WordPress installations.", "If an immediate update is not feasible, consider deactivating the MetaMax theme or switching to an alternative theme.", "Check the vendor\u2019s website or community advisories for patches or updates that address this vulnerability."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "WordPress installations that have the CreativeWS MetaMax theme that are version 1.1.4 or earlier are vulnerable. The issue is confined to the theme and does not affect core WordPress or other plugins unless the theme is active and used to include files.", "description_and_impact": "The MetaMax theme uses file names supplied by the application in PHP include/require statements without proper validation. This flaw allows an attacker to supply a crafted file path that causes the theme to include arbitrary local files on the server. The result is that sensitive files on the web host may be exposed or processed by the PHP interpreter, as the included content is treated as PHP code.", "risk_and_exploitability": "The vulnerability is not listed in the CISA KEV catalog and no EPSS score is provided. The CVSS score is not disclosed in the CVE record. Because the flaw involves the inclusion of arbitrary local files and the description does not specify any authentication requirement, the potential impact lies in the disclosure or manipulation of server files, but the exact exploitation likelihood cannot be determined from the available data."}}}}, "created": "2026-03-25T21:47:39.644930+00:00", "updated": "2026-03-26T11:37:27.986074+00:00", "vendors": ["creativews", "creativews$PRODUCT$metamax", "wordpress", "wordpress$PRODUCT$wordpress"]}