{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27093", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:24:05.456Z", "datePublished": "2026-03-19T06:41:10.108Z", "dateUpdated": "2026-04-28T16:15:01.696Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "tripgo", "product": "Tripgo", "vendor": "ovatheme", "versions": [{"changes": [{"at": "1.5.6", "status": "unaffected"}], "lessThanOrEqual": "1.5.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:44:04.881Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Tripgo tripgo allows PHP Local File Inclusion.<p>This issue affects Tripgo: from n/a through < 1.5.6.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Tripgo tripgo allows PHP Local File Inclusion.This issue affects Tripgo: from n/a through < 1.5.6."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:01.696Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/tripgo/vulnerability/wordpress-tripgo-theme-1-5-3-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Tripgo theme < 1.5.6 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T14:43:51.486368Z", "id": "CVE-2026-27093", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:45:33.843Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27093", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-19T14:43:51.486368Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:45:29.676Z"}}], "cna": {"title": "WordPress Tripgo theme < 1.5.6 - Local File Inclusion vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "CAPEC-252 PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ovatheme", "product": "Tripgo", "versions": [{"status": "affected", "changes": [{"at": "1.5.6", "status": "unaffected"}], "version": "n/a", "lessThan": "1.5.6", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress Tripgo theme to the latest available version (at least 1.5.6).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress Tripgo theme to the latest available version (at least 1.5.6).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/theme/tripgo/vulnerability/wordpress-tripgo-theme-1-5-3-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ovatheme Tripgo allows PHP Local File Inclusion.This issue affects Tripgo: from n/a before 1.5.6.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ovatheme Tripgo allows PHP Local File Inclusion.<p>This issue affects Tripgo: from n/a before 1.5.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T06:41:10.108Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27093", "state": "PUBLISHED", "dateUpdated": "2026-03-19T14:45:33.843Z", "dateReserved": "2026-02-17T13:24:05.456Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-19T06:41:10.108Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Tripgo tripgo allows PHP Local File Inclusion.This issue affects Tripgo: from n/a through < 1.5.6."}, {"lang": "es", "value": "La vulnerabilidad de control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en un programa PHP ('Inclusi\u00f3n remota de ficheros PHP') en Ovatheme Tripgo permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Tripgo: desde n/a antes de 1.5.6."}], "id": "CVE-2026-27093", "lastModified": "2026-04-23T15:37:19.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-03-19T07:15:59.410", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/tripgo/vulnerability/wordpress-tripgo-theme-1-5-3-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Tripgo", "source": "cna", "vendor": "Ovatheme"}, "product": "tripgo", "vendor": "ovatheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T22:18:07.797853+00:00", "value": {"mitigation_remediation": ["Apply the official patch by updating Tripgo to version\u202f1.5.6 or later.", "If an upgrade is not possible immediately, configure strict directory permissions to prevent the web process from reading sensitive files paths referenced by the theme.", "Enforce a whitelist of allowed filenames or validate input before any include/require operation to ensure only permitted files can be included.", "Optionally, enable a web application firewall or security plugin that detects and blocks suspicious file inclusion attempts."], "summary": {"action": "Patch", "impact": "Local File Inclusion vulnerability in WordPress Tripgo theme"}, "threat_synthesis": {"affected_systems": "All deployments of the ovatheme Tripgo WordPress theme running any version earlier than 1.5.6 are affected. No releases 1.5.6 or later contain the vulnerability.", "description_and_impact": "The flaw arises from insufficient validation of filenames used by the Tripgo theme in PHP include or require statements. When an attacker can supply an arbitrary filename, the theme will include that file from the server\u2019s filesystem. This allows direct access to the contents of any file readable by the web process.", "risk_and_exploitability": "The CVSS score of 8.1 indicates high severity. The EPSS score is under 1%, suggesting a low current exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. The CVE description does not detail how the flaw is triggered, and no public exploits have been reported, so the exact attack vector and prerequisites remain unknown."}}}}, "created": "2026-03-19T08:54:33.081642+00:00", "updated": "2026-04-28T22:30:41.598743+00:00", "vendors": ["ovatheme", "ovatheme$PRODUCT$tripgo", "wordpress", "wordpress$PRODUCT$wordpress"]}