{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22477", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:16.751Z", "datePublished": "2026-03-05T05:53:47.385Z", "dateUpdated": "2026-04-28T17:18:36.850Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "felizia", "product": "Felizia", "vendor": "AncoraThemes", "versions": [{"lessThanOrEqual": "1.3.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:53.832Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Felizia felizia allows PHP Local File Inclusion.<p>This issue affects Felizia: from n/a through <= 1.3.4.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Felizia felizia allows PHP Local File Inclusion.This issue affects Felizia: from n/a through <= 1.3.4."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:45.300Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/felizia/vulnerability/wordpress-felizia-theme-1-3-4-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Felizia theme <= 1.3.4 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T14:57:02.623150Z", "id": "CVE-2026-22477", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:18:36.850Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22477", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T14:57:02.623150Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T14:58:26.680Z"}}], "cna": {"title": "WordPress Felizia theme <= 1.3.4 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AncoraThemes", "product": "Felizia", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.3.4"}], "packageName": "felizia", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:04:53.832Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/felizia/vulnerability/wordpress-felizia-theme-1-3-4-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Felizia felizia allows PHP Local File Inclusion.This issue affects Felizia: from n/a through <= 1.3.4.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Felizia felizia allows PHP Local File Inclusion.<p>This issue affects Felizia: from n/a through <= 1.3.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:45.300Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22477", "state": "PUBLISHED", "dateUpdated": "2026-04-28T17:18:36.850Z", "dateReserved": "2026-01-07T13:44:16.751Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:53:47.385Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Felizia felizia allows PHP Local File Inclusion.This issue affects Felizia: from n/a through <= 1.3.4."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en un programa PHP ('Inclusi\u00f3n Remota de Ficheros PHP') vulnerabilidad en AncoraThemes Felizia felizia permite Inclusi\u00f3n Local de Ficheros PHP. Este problema afecta a Felizia: desde n/a hasta &lt;= 1.3.4."}], "id": "CVE-2026-22477", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:21.430", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/felizia/vulnerability/wordpress-felizia-theme-1-3-4-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "felizia", "vendor": "ancorathemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T12:47:13.885332+00:00", "value": {"mitigation_remediation": ["Upgrade the Felizia theme to version 1.3.5 or newer to remove the vulnerability.", "If an immediate upgrade is not possible, modify the theme\u2019s PHP include/require logic to validate file paths against a whitelist or constrain the include paths to a safe directory.", "Restrict execution in the theme\u2019s directories by configuring .htaccess rules or setting appropriate file permissions to prevent arbitrary script execution."], "summary": {"action": "Patch Immediately", "impact": "Local File Inclusion that can expose sensitive files or execute arbitrary PHP code"}, "threat_synthesis": {"affected_systems": "The vulnerability affects any WordPress installation that has the AncoraThemes Felizia theme version 1.3.4 or earlier. It is not tied to specific WordPress core releases, and all theme releases from the earliest version up to and including 1.3.4 are susceptible. Updating to version 1.3.5 or newer removes the flaw.", "description_and_impact": "Improper control over filenames used in PHP include/require statements within the AncoraThemes Felizia WordPress theme permits an attacker to specify arbitrary file paths. This local file inclusion flaw can expose sensitive configuration files or other content and, if a PHP file is included, may lead to the execution of malicious code on the server, compromising confidentiality, integrity, or availability. The weakness is classified as CWE\u201198.", "risk_and_exploitability": "With a CVSS score of 8.1, the flaw is considered high severity. The EPSS score of less than 1\u202f% suggests a low likelihood of widespread exploitation in the general user population, and the vulnerability is not yet listed in the CISA KEV catalog. Based on the description, the likely attack vector involves an attacker controlling the filename passed to the theme\u2019s include/require logic, enabling arbitrary file access. If the included file contains executable PHP code, this can result in remote code execution."}}}}, "created": "2026-03-06T15:13:56.674145+00:00", "updated": "2026-04-16T13:00:11.066801+00:00", "vendors": ["ancorathemes", "ancorathemes$PRODUCT$felizia", "wordpress", "wordpress$PRODUCT$wordpress"]}