{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23975", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-19T16:14:52.937Z", "datePublished": "2026-01-22T16:52:42.488Z", "dateUpdated": "2026-04-28T16:14:47.308Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "golo", "product": "Golo", "vendor": "uxper", "versions": [{"changes": [{"at": "1.7.5", "status": "unaffected"}], "lessThanOrEqual": "1.7.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:21:12.782Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Golo golo allows PHP Local File Inclusion.<p>This issue affects Golo: from n/a through < 1.7.5.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Golo golo allows PHP Local File Inclusion.This issue affects Golo: from n/a through < 1.7.5."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:47.308Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-5-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Golo theme < 1.7.5 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T16:49:00.352112Z", "id": "CVE-2026-23975", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:48:28.305Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23975", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-23T16:49:00.352112Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T16:49:03.353Z"}}], "cna": {"title": "WordPress Golo theme < 1.7.5 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "uxper", "product": "Golo", "versions": [{"status": "affected", "changes": [{"at": "1.7.5", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.7.5"}], "packageName": "golo", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:21:12.782Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-5-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Golo golo allows PHP Local File Inclusion.This issue affects Golo: from n/a through < 1.7.5.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Golo golo allows PHP Local File Inclusion.<p>This issue affects Golo: from n/a through < 1.7.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:04.045Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23975", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:48:28.305Z", "dateReserved": "2026-01-19T16:14:52.937Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-22T16:52:42.488Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Golo golo allows PHP Local File Inclusion.This issue affects Golo: from n/a through < 1.7.5."}, {"lang": "es", "value": "Vulnerabilidad de Control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en el programa PHP ('PHP inclusi\u00f3n remota de ficheros') en uxper Golo golo permite PHP inclusi\u00f3n local de ficheros. Este problema afecta a Golo: desde n/a hasta &lt; 1.7.5."}], "id": "CVE-2026-23975", "lastModified": "2026-04-28T16:16:08.027", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-22T17:16:38.210", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-5-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:02:05.161041+00:00", "value": {"mitigation_remediation": ["Upgrade the Golo theme to version 1.7.5 or later to remove the vulnerable inclusion code.", "If an upgrade is not immediately possible, restrict the theme\u2019s ability to include arbitrary files by configuring PHP\u2019s open_basedir to limit included paths strictly to the theme directory.", "Implement input validation or sanitization for any parameters that influence file inclusion paths used by the theme, ensuring only whitelisted directories or filenames are processed."], "summary": {"action": "Patch Immediately", "impact": "Local File Inclusion that could lead to sensitive file disclosure or remote code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the uxper Golo WordPress theme older than version 1.7.5. Users running any of these versions should inspect whether the theme is present in their WordPress instance and determine if they have the listed and older versions installed.", "description_and_impact": "The vulnerability arises from improper validation of filenames used in PHP include/require statements within the Golo theme. This flaw permits an attacker to manipulate the file path supplied to an include, resulting in a Local File Inclusion (LFI). Through LFI, an attacker can read arbitrary files on the server, potentially exposing sensitive configuration data, credentials, or application code. In environments where the included files are executable or further processed, the LFI can also enable Remote Code Execution, escalating the impact from data disclosure to full system compromise. The root weakness is associated with CWE\u201198, indicating a failure to safely handle include paths.", "risk_and_exploitability": "The CVSS score of 7.5 reflects the high severity of this flaw, and the very low EPSS score (<1%) indicates that, as of the last measurement, exploitation attempts are currently scarce. However, the combination of a severe local file inclusion flaw and the potential for escalation to code execution makes this a critical risk. The vulnerability is not listed in the CISA KEV catalog, but its impact warrants immediate attention, particularly in systems exposed to untrusted input that might reach the theme\u2019s inclusion logic. Attackers would need to craft a request that passes a manipulated filename to the theme\u2019s inclusion logic; no known active exploits have been publicly reported, yet the nature of the flaw makes it a strong candidate for future exploitation."}}}}, "created": "2026-01-23T16:27:50.212180+00:00", "updated": "2026-04-28T18:15:37.352363+00:00", "vendors": ["uxper", "uxper$PRODUCT$golo", "wordpress", "wordpress$PRODUCT$wordpress"]}