{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27097", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:24:05.457Z", "datePublished": "2026-03-05T05:53:50.204Z", "dateUpdated": "2026-04-28T16:15:01.680Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "casamia", "product": "CasaMia | Property Rental Real Estate WordPress Theme", "vendor": "AncoraThemes", "versions": [{"lessThanOrEqual": "1.1.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:14.904Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CasaMia | Property Rental Real Estate WordPress Theme casamia allows PHP Local File Inclusion.<p>This issue affects CasaMia | Property Rental Real Estate WordPress Theme: from n/a through <= 1.1.2.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CasaMia | Property Rental Real Estate WordPress Theme casamia allows PHP Local File Inclusion.This issue affects CasaMia | Property Rental Real Estate WordPress Theme: from n/a through <= 1.1.2."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:01.680Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/casamia/vulnerability/wordpress-casamia-property-rental-real-estate-wordpress-theme-theme-1-1-2-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress CasaMia | Property Rental Real Estate WordPress Theme theme <= 1.1.2 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T19:04:09.639752Z", "id": "CVE-2026-27097", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:56:50.307Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27097", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T19:04:09.639752Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T19:03:27.110Z"}}], "cna": {"title": "WordPress CasaMia | Property Rental Real Estate WordPress Theme theme <= 1.1.2 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AncoraThemes", "product": "CasaMia | Property Rental Real Estate WordPress Theme", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.1.2"}], "packageName": "casamia", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:27:05.550Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/casamia/vulnerability/wordpress-casamia-property-rental-real-estate-wordpress-theme-theme-1-1-2-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CasaMia | Property Rental Real Estate WordPress Theme casamia allows PHP Local File Inclusion.This issue affects CasaMia | Property Rental Real Estate WordPress Theme: from n/a through <= 1.1.2.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CasaMia | Property Rental Real Estate WordPress Theme casamia allows PHP Local File Inclusion.<p>This issue affects CasaMia | Property Rental Real Estate WordPress Theme: from n/a through <= 1.1.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T12:10:50.742Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27097", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:56:50.307Z", "dateReserved": "2026-02-17T13:24:05.457Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:53:50.204Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CasaMia | Property Rental Real Estate WordPress Theme casamia allows PHP Local File Inclusion.This issue affects CasaMia | Property Rental Real Estate WordPress Theme: from n/a through <= 1.1.2."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en programa PHP (vulnerabilidad de 'inclusi\u00f3n remota de ficheros' de PHP) en el tema de WordPress AncoraThemes CasaMia | Property Rental Real Estate casamia permite la inclusi\u00f3n local de ficheros de PHP. Este problema afecta al tema de WordPress CasaMia | Property Rental Real Estate: desde n/a hasta &lt;= 1.1.2."}], "id": "CVE-2026-27097", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:23.303", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/casamia/vulnerability/wordpress-casamia-property-rental-real-estate-wordpress-theme-theme-1-1-2-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "CasaMia | Property Rental Real Estate WordPress Theme", "source": "cna", "vendor": "AncoraThemes"}, "product": "casamia_|_property_rental_real_estate_wordpress_theme", "vendor": "ancorathemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T05:15:12.554583+00:00", "value": {"mitigation_remediation": ["Upgrade the CasaMia theme to the latest patched version that removes the LFI vulnerability.", "If an immediate update is not possible, sanitize and validate any user\u2011supplied file path inputs before passing them to include/require functions, restricting paths to a known safe directory tree.", "Eliminate direct user control over file inclusion by removing vulnerable parameters or code from template files and disabling file editing through the WordPress admin interface.", "Deploy or configure a Web Application Firewall to block suspicious file inclusion attempts and monitor server logs for anomalous file access patterns."], "summary": {"action": "Patch immediately", "impact": "Local File Inclusion enabling potential information disclosure or code execution"}, "threat_synthesis": {"affected_systems": "AncoraThemes CasaMia \u2013 Property Rental Real Estate WordPress Theme is affected. All releases from the first published version through and including 1.1.2 contain the vulnerability; any site running 1.1.2 or an earlier version is at risk.", "description_and_impact": "The CasaMia WordPress theme contains a Local File Inclusion flaw caused by uncontrolled use of filenames in PHP include/require statements, a weakness identified as CWE\u201198. An attacker can supply a crafted path that resolves to any file on the server, allowing read access to sensitive data or execution of arbitrary PHP code. The potential impact ranges from information disclosure to full code execution depending on the files accessed.", "risk_and_exploitability": "The CVSS score of 8.1 classifies the issue as high severity. Exploration probability is reported as less than 1\u202f%, indicating a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would target the web application by manipulating query parameters or user inputs that are passed directly to include/require functions, exploiting the lack of input validation."}}}}, "created": "2026-03-06T15:13:45.130345+00:00", "updated": "2026-04-16T05:15:25.484161+00:00", "vendors": ["ancorathemes", "ancorathemes$PRODUCT$casamia_|_property_rental_real_estate_wordpress_theme", "wordpress", "wordpress$PRODUCT$wordpress"]}