{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22403", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:21:46.518Z", "datePublished": "2026-03-05T05:53:35.418Z", "dateUpdated": "2026-04-28T16:56:11.619Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "innovio", "product": "Innovio", "vendor": "Mikado-Themes", "versions": [{"changes": [{"at": "1.9.1", "status": "unaffected"}], "lessThanOrEqual": "1.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:12.719Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Innovio innovio allows PHP Local File Inclusion.<p>This issue affects Innovio: from n/a through <= 1.9.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Innovio innovio allows PHP Local File Inclusion.This issue affects Innovio: from n/a through <= 1.9."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:42.893Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/innovio/vulnerability/wordpress-innovio-theme-1-7-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Innovio theme <= 1.9 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T14:21:54.763859Z", "id": "CVE-2026-22403", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:56:11.619Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22403", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T14:21:54.763859Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T14:21:31.702Z"}}], "cna": {"title": "WordPress Innovio theme <= 1.9 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mikado-Themes", "product": "Innovio", "versions": [{"status": "affected", "changes": [{"at": "1.9.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.9"}], "packageName": "innovio", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:12.719Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/innovio/vulnerability/wordpress-innovio-theme-1-7-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Innovio innovio allows PHP Local File Inclusion.This issue affects Innovio: from n/a through <= 1.9.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Innovio innovio allows PHP Local File Inclusion.<p>This issue affects Innovio: from n/a through <= 1.9.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:42.893Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22403", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:56:11.619Z", "dateReserved": "2026-01-07T12:21:46.518Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:53:35.418Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Innovio innovio allows PHP Local File Inclusion.This issue affects Innovio: from n/a through <= 1.9."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en el programa PHP (vulnerabilidad de 'inclusi\u00f3n remota de ficheros PHP') en Mikado-Themes Innovio innovio permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Innovio: desde n/a hasta &lt;= 1.7."}], "id": "CVE-2026-22403", "lastModified": "2026-04-23T15:36:29.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:14.350", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/innovio/vulnerability/wordpress-innovio-theme-1-7-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Innovio", "source": "cna", "vendor": "Mikado-Themes"}, "product": "innovio", "vendor": "mikado-themes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T22:22:54.430436+00:00", "value": {"mitigation_remediation": ["Upgrade the Innovio theme to a release that removes the vulnerable include logic.", "If an upgrade is not immediately possible, disable or delete the Innovio theme to eliminate the attack surface.", "Implement web\u2011application or server\u2011level controls that restrict include paths to known safe directories and validate any user input used in file operations; consider deploying a firewall rule that blocks directory traversal patterns such as \"../\" in request parameters."], "summary": {"action": "Update Theme", "impact": "Local File Inclusion, potential Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The issue affects the Mikado-Themes Innovio WordPress theme versions 1.9 and all earlier releases. No information is available for versions above 1.9, so any site running 1.9 or earlier is considered vulnerable.", "description_and_impact": "The vulnerability is a PHP Local File Inclusion type that arises from improper control of filenames used in PHP include/require statements within the Innovio WordPress theme. As a result, attackers can influence the file path that the theme processes, enabling them to read any file on the server that is accessible to the web server process. This issue is a CWE\u201198 vulnerability (Improper Control of Filename for Include/Require). If the included file contains executable PHP code, the attacker could potentially execute that code, which is inferred from the description of the vulnerability. This could lead to full compromise of the website. The vulnerability carries a high severity score of 8.1 according to the industry standard scoring system.", "risk_and_exploitability": "The reported exploitation probability is less than 1%, indicating that widespread attacks are not common and the flaw is not listed in the known exploited vulnerabilities catalog. Still, the high severity underscores significant potential impact. An attacker can likely leverage crafted URLs or user\u2011supplied input that influences the include path, potentially without authentication if the theme does not enforce proper checks. Successful exploitation would permit the attacker to read sensitive configuration files or execute arbitrary PHP code, which is inferred from the vulnerability description, thereby compromising the entire website."}}}}, "created": "2026-03-06T15:14:41.981726+00:00", "updated": "2026-04-28T22:30:41.618843+00:00", "vendors": ["mikado-themes", "mikado-themes$PRODUCT$innovio", "wordpress", "wordpress$PRODUCT$wordpress"]}