{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23801", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-16T14:15:17.504Z", "datePublished": "2026-03-05T05:53:48.966Z", "dateUpdated": "2026-04-28T16:14:47.079Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "theissue", "product": "The Issue", "vendor": "fuelthemes", "versions": [{"changes": [{"at": "1.6.12", "status": "unaffected"}], "lessThanOrEqual": "1.6.11", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:35.001Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes The Issue theissue allows PHP Local File Inclusion.<p>This issue affects The Issue: from n/a through <= 1.6.11.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes The Issue theissue allows PHP Local File Inclusion.This issue affects The Issue: from n/a through <= 1.6.11."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:47.079Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/theissue/vulnerability/wordpress-the-issue-theme-1-6-11-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress The Issue theme <= 1.6.11 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T14:04:01.800344Z", "id": "CVE-2026-23801", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:44:13.267Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23801", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T14:04:01.800344Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T14:03:54.295Z"}}], "cna": {"title": "WordPress The Issue theme <= 1.6.11 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "fuelthemes", "product": "The Issue", "versions": [{"status": "affected", "changes": [{"at": "1.6.12", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.6.11"}], "packageName": "theissue", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:26:17.183Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/theissue/vulnerability/wordpress-the-issue-theme-1-6-11-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes The Issue theissue allows PHP Local File Inclusion.This issue affects The Issue: from n/a through <= 1.6.11.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes The Issue theissue allows PHP Local File Inclusion.<p>This issue affects The Issue: from n/a through <= 1.6.11.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:44.684Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23801", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:44:13.267Z", "dateReserved": "2026-01-16T14:15:17.504Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:53:48.966Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes The Issue theissue allows PHP Local File Inclusion.This issue affects The Issue: from n/a through <= 1.6.11."}, {"lang": "es", "value": "Vulnerabilidad de 'PHP Remote File Inclusion' por control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en programa PHP en fuelthemes The Issue theissue permite inclusi\u00f3n local de ficheros PHP. Este problema afecta a The Issue: desde n/a hasta &lt;= 1.6.11."}], "id": "CVE-2026-23801", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:22.630", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/theissue/vulnerability/wordpress-the-issue-theme-1-6-11-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.11]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "The Issue", "source": "cna", "vendor": "fuelthemes"}, "product": "the_issue", "vendor": "fuelthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T05:16:18.260758+00:00", "value": {"mitigation_remediation": ["Update The Issue theme to version 1.6.12 or later where the LFI flaw is addressed.", "Remove or sanitize any query parameters that influence file inclusion in theme code, ensuring the include path is restricted to the theme directory.", "Configure the web server to disallow PHP execution in upload or temporary directories and enforce read\u2011only permissions for critical files to prevent unintended inclusion."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The Issue theme from fuelthemes is vulnerable in all releases up to and including version 1.6.11. WordPress sites that have this theme activated are at risk; no specific WordPress core versions are implicated, so any WordPress installation using The Issue theme <= 1.6.11 is considered affected.", "description_and_impact": "Based on the description, it is inferred that the vulnerability originates from an improper control of the filename used in PHP include/require statements. Attackers can manipulate user\u2011supplied input to cause the theme to include arbitrary files from the local filesystem. This lack of validation can allow an attacker to read sensitive files or execute malicious code if PHP files are included, potentially compromising confidentiality, integrity, and the overall system.", "risk_and_exploitability": "Based on the description, it is inferred that attackers could target the theme via crafted web requests or through authenticated users with file upload capabilities to trigger local file inclusion. The CVSS base score of 8.1 indicates a high\u2011severity issue, yet the EPSS score is less than 1%, indicating a very low likelihood of exploitation in the wild at the time of analysis. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Successful exploitation could lead to disclosure of sensitive data or execution of arbitrary code if the server permits PHP execution in the targeted files."}}}}, "created": "2026-03-06T15:13:50.106039+00:00", "updated": "2026-04-16T05:30:25.782871+00:00", "vendors": ["fuelthemes", "fuelthemes$PRODUCT$the_issue", "wordpress", "wordpress$PRODUCT$wordpress"]}