{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22437", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:22:12.277Z", "datePublished": "2026-03-05T05:53:40.779Z", "dateUpdated": "2026-04-28T17:10:43.919Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "playa", "product": "Playa", "vendor": "AncoraThemes", "versions": [{"lessThanOrEqual": "1.3.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:22.442Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Playa playa allows PHP Local File Inclusion.<p>This issue affects Playa: from n/a through <= 1.3.9.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Playa playa allows PHP Local File Inclusion.This issue affects Playa: from n/a through <= 1.3.9."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:44.053Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/playa/vulnerability/wordpress-playa-theme-1-3-9-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Playa theme <= 1.3.9 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T15:27:31.387103Z", "id": "CVE-2026-22437", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:10:43.919Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22437", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T12:22:12.277Z", "datePublished": "2026-03-05T05:53:40.779Z", "dateUpdated": "2026-04-28T17:10:43.919Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "playa", "product": "Playa", "vendor": "AncoraThemes", "versions": [{"lessThanOrEqual": "1.3.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:22.442Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Playa playa allows PHP Local File Inclusion.<p>This issue affects Playa: from n/a through <= 1.3.9.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Playa playa allows PHP Local File Inclusion.This issue affects Playa: from n/a through <= 1.3.9."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:44.053Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/playa/vulnerability/wordpress-playa-theme-1-3-9-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Playa theme <= 1.3.9 - Local File Inclusion vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22437", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T15:27:31.387103Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T15:26:59.212Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Playa playa allows PHP Local File Inclusion.This issue affects Playa: from n/a through <= 1.3.9."}, {"lang": "es", "value": "Vulnerabilidad de Control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en un programa PHP ('inclusi\u00f3n remota de ficheros PHP') en AncoraThemes Playa playa permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Playa: desde n/a hasta &lt;= 1.3.9."}], "id": "CVE-2026-22437", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:18.103", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/playa/vulnerability/wordpress-playa-theme-1-3-9-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "playa", "vendor": "ancorathemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T05:28:00.349438+00:00", "value": {"mitigation_remediation": ["Upgrade the AncoraThemes Playa theme to version 1.4.0 or later, which removes the vulnerable include logic.", "If an immediate upgrade is not possible, modify the theme\u2019s inclusion code to validate filenames against a whitelist or enforce a safe include path, effectively blocking arbitrary file access.", "Configure the PHP runtime to disable allow_url_include and set an open_basedir restriction to further limit file inclusion capabilities."], "summary": {"action": "Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "AncoraThemes Playa, a WordPress theme used in multiple websites, is affected for all releases up to and including version 1.3.9. No specific build or patch versions beyond 1.3.9 are impacted.", "description_and_impact": "The vulnerability is an improper control of the filename used in a PHP include/require statement in the AncoraThemes Playa WordPress theme. The flaw allows an attacker to specify an arbitrary file path, potentially leading to local file read or execution of malicious PHP code. This weakness is classified as CWE\u201198 and can compromise confidentiality, integrity, or availability depending on the files accessed.", "risk_and_exploitability": "With a CVSS score of 8.1 the vulnerability is considered high severity. The EPSS score is reported as less than 1%, indicating a very low likelihood of exploitation at this time. The vulnerability is not currently listed in the CISA KEV catalog. Attackers would likely exploit the flaw through a crafted web request that feeds a malicious filename to the vulnerable include logic. The path to exploitation is local and does not rely on remote code inclusion, but the ability to execute PHP code could elevate the risk to full remote code execution if the arbitrary file is a PHP script."}}}}, "created": "2026-03-06T15:14:19.667381+00:00", "updated": "2026-04-16T05:30:25.801191+00:00", "vendors": ["ancorathemes", "ancorathemes$PRODUCT$playa", "wordpress", "wordpress$PRODUCT$wordpress"]}