{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24609", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:32:17.047Z", "datePublished": "2026-01-23T14:29:04.648Z", "dateUpdated": "2026-04-28T16:14:50.325Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "laurent", "product": "Laurent", "vendor": "Elated-Themes", "versions": [{"lessThanOrEqual": "3.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:06:14.143Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion.<p>This issue affects Laurent: from n/a through <= 3.1.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion.This issue affects Laurent: from n/a through <= 3.1."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:50.325Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/laurent/vulnerability/wordpress-laurent-theme-3-1-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Laurent theme <= 3.1 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T17:07:39.076454Z", "id": "CVE-2026-24609", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:37:14.859Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24609", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-23T17:07:39.076454Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T17:07:31.723Z"}}], "cna": {"title": "WordPress Laurent theme <= 3.1 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Elated-Themes", "product": "Laurent", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.1"}], "packageName": "laurent", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:06:14.143Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/laurent/vulnerability/wordpress-laurent-theme-3-1-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion.This issue affects Laurent: from n/a through <= 3.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion.<p>This issue affects Laurent: from n/a through <= 3.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:50.325Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24609", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:50.325Z", "dateReserved": "2026-01-23T12:32:17.047Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:29:04.648Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion.This issue affects Laurent: from n/a through <= 3.1."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en programa PHP ('PHP Remote File Inclusion') en Elated-Themes Laurent laurent, permite inclusi\u00f3n local de ficheros PHP. Este problema afecta a Laurent: desde n/a hasta &lt;= 3.1."}], "id": "CVE-2026-24609", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-23T15:16:19.850", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/laurent/vulnerability/wordpress-laurent-theme-3-1-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:31:58.733415+00:00", "value": {"mitigation_remediation": ["Update the Laurent theme to the latest available version that removes the vulnerable include logic (version 3.2 or later).", "If an immediate update is not possible, restrict the file inclusion context by enabling PHP's open_basedir or by modifying the theme code to validate filenames against an allow\u2011list before inclusion.", "Deploy a web application firewall or similar filtering rules to block requests containing typical LFI patterns such as \u201c../../../../etc/passwd\u201d or PHP stream wrappers."], "summary": {"action": "Patch", "impact": "Local File Inclusion that can lead to code execution or sensitive data disclosure"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Elated\u2011Themes Laurent theme versions 3.1 or earlier are affected. These versions\u2014 from the earliest release up to 3.1\u2014contain the vulnerable include logic.", "description_and_impact": "This vulnerability stems from improper validation of filenames used in PHP include/require statements within the Elated\u2011Themes Laurent WordPress theme. An attacker who can influence the filename supplied to the include mechanism may cause arbitrary local files to be read or executed, potentially exposing sensitive data or achieving remote code execution. The flaw is classified as CWE\u201198, Local File Inclusion.", "risk_and_exploitability": "The CVSS score for this issue is 7.5, indicating moderate to high severity, while the EPSS value of less than 1% suggests a very low exploitation probability at this time. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, which reduces the likelihood of a widespread pre\u2011existing exploit. The most likely attack vector is a remote attacker abusing a publicly exposed PHP page that accepts a filename parameter, but the specific vector is inferred from the nature of the flaw."}}}}, "created": "2026-01-26T11:53:40.354957+00:00", "updated": "2026-04-16T01:45:20.647374+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}