{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22385", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:40.878Z", "datePublished": "2026-03-05T05:53:32.704Z", "dateUpdated": "2026-04-28T16:53:47.563Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "wolmart", "product": "Wolmart", "vendor": "don-themes", "versions": [{"lessThanOrEqual": "1.9.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:17.165Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Wolmart wolmart allows PHP Local File Inclusion.<p>This issue affects Wolmart: from n/a through <= 1.9.6.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Wolmart wolmart allows PHP Local File Inclusion.This issue affects Wolmart: from n/a through <= 1.9.6."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:43.037Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/wolmart/vulnerability/wordpress-wolmart-theme-1-9-6-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Wolmart theme <= 1.9.6 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T13:10:46.699636Z", "id": "CVE-2026-22385", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:53:47.563Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22385", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T13:10:46.699636Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T13:09:46.697Z"}}], "cna": {"title": "WordPress Wolmart theme <= 1.9.6 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "don-themes", "product": "Wolmart", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.9.6"}], "packageName": "wolmart", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:04:17.165Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/wolmart/vulnerability/wordpress-wolmart-theme-1-9-6-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Wolmart wolmart allows PHP Local File Inclusion.This issue affects Wolmart: from n/a through <= 1.9.6.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Wolmart wolmart allows PHP Local File Inclusion.<p>This issue affects Wolmart: from n/a through <= 1.9.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:43.037Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22385", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:53:47.563Z", "dateReserved": "2026-01-07T12:21:40.878Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:53:32.704Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Wolmart wolmart allows PHP Local File Inclusion.This issue affects Wolmart: from n/a through <= 1.9.6."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en un programa PHP, vulnerabilidad de 'inclusi\u00f3n remota de ficheros PHP' en don-themes Wolmart wolmart permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Wolmart: desde n/a hasta &lt;= 1.9.6."}], "id": "CVE-2026-22385", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:13.103", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/wolmart/vulnerability/wordpress-wolmart-theme-1-9-6-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.9.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "wolmart", "vendor": "don-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T12:56:25.157723+00:00", "value": {"mitigation_remediation": ["Upgrade Wolmart theme to the latest release available from don\u2011themes, ensuring any update that addresses the include logic is installed.", "Configure the theme or WordPress environment to use a strict whitelist for file inclusion paths, rejecting any user\u2011supplied filenames that are not explicitly allowed.", "Restrict file system permissions for the web\u2011root and configuration files so that the web server process cannot read sensitive files such as wp-config.php or other password\u2011protected files."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion enabling arbitrary file access and potential code execution"}, "threat_synthesis": {"affected_systems": "The issue affects the don\u2011themes Wolmart WordPress theme up to and including version 1.9.6. No specific sub\u2011versions are listed beyond the overall range, so all releases in that range are considered vulnerable.", "description_and_impact": "The Vulnerability arises from improper control of the filename used in PHP include/require statements within the Wolmart theme. An attacker can supply a crafted value that causes the application to read arbitrary files on the server, potentially including PHP scripts that could be executed when the file is included. This flaw allows disclosure of sensitive data such as configuration files and, if attacker\u2011controlled PHP files are included, code execution with the privileges of the web server. The weakness corresponds to CWE\u201198, \"Improper Control of Filename for Include/Require Statement\".", "risk_and_exploitability": "The CVSS v3 score of 8.1 places the flaw in the high severity category, and the EPSS score of less than 1\u202f% indicates a very low probability of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers would most likely target websites running the affected theme via unauthenticated HTTP requests that trigger the vulnerable inclusion logic. Successful exploitation would provide the attacker with arbitrary file access on the host, potentially leading to information disclosure or remote code execution if the attacker can place and include malicious PHP files."}}}}, "created": "2026-03-06T15:14:49.861369+00:00", "updated": "2026-04-17T13:00:12.020349+00:00", "vendors": ["don-themes", "don-themes$PRODUCT$wolmart", "wordpress", "wordpress$PRODUCT$wordpress"]}