{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27335", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-19T09:51:27.898Z", "datePublished": "2026-03-05T05:53:51.227Z", "dateUpdated": "2026-04-28T16:15:01.900Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "ekoterra", "product": "Ekoterra - NonProfit, Green Energy & Ecology Theme", "vendor": "AncoraThemes", "versions": [{"lessThanOrEqual": "1.0.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:26.295Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Ekoterra - NonProfit, Green Energy & Ecology Theme ekoterra allows PHP Local File Inclusion.<p>This issue affects Ekoterra - NonProfit, Green Energy & Ecology Theme: from n/a through <= 1.0.0.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Ekoterra - NonProfit, Green Energy & Ecology Theme ekoterra allows PHP Local File Inclusion.This issue affects Ekoterra - NonProfit, Green Energy & Ecology Theme: from n/a through <= 1.0.0."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:01.900Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/ekoterra/vulnerability/wordpress-ekoterra-nonprofit-green-energy-ecology-theme-theme-1-0-0-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Ekoterra - NonProfit, Green Energy & Ecology Theme theme <= 1.0.0 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T13:23:35.075680Z", "id": "CVE-2026-27335", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:57:49.923Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27335", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T13:23:35.075680Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T13:11:57.510Z"}}], "cna": {"title": "WordPress Ekoterra - NonProfit, Green Energy & Ecology Theme theme <= 1.0.0 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AncoraThemes", "product": "Ekoterra - NonProfit, Green Energy & Ecology Theme", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.0"}], "packageName": "ekoterra", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:26.295Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/ekoterra/vulnerability/wordpress-ekoterra-nonprofit-green-energy-ecology-theme-theme-1-0-0-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Ekoterra - NonProfit, Green Energy & Ecology Theme ekoterra allows PHP Local File Inclusion.This issue affects Ekoterra - NonProfit, Green Energy & Ecology Theme: from n/a through <= 1.0.0.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Ekoterra - NonProfit, Green Energy & Ecology Theme ekoterra allows PHP Local File Inclusion.<p>This issue affects Ekoterra - NonProfit, Green Energy & Ecology Theme: from n/a through <= 1.0.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:01.900Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27335", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:15:01.900Z", "dateReserved": "2026-02-19T09:51:27.898Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:53:51.227Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Ekoterra - NonProfit, Green Energy & Ecology Theme ekoterra allows PHP Local File Inclusion.This issue affects Ekoterra - NonProfit, Green Energy & Ecology Theme: from n/a through <= 1.0.0."}, {"lang": "es", "value": "Vulnerabilidad de control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en un programa PHP ('inclusi\u00f3n remota de ficheros PHP') en AncoraThemes Ekoterra - NonProfit, Green Energy &amp; Ecology Theme ekoterra permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Ekoterra - NonProfit, Green Energy &amp; Ecology Theme: desde n/a hasta &lt;= 1.0.0."}], "id": "CVE-2026-27335", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:23.977", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/ekoterra/vulnerability/wordpress-ekoterra-nonprofit-green-energy-ecology-theme-theme-1-0-0-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Ekoterra - NonProfit, Green Energy & Ecology Theme", "source": "cna", "vendor": "AncoraThemes"}, "product": "ekoterra_-_nonprofit,_green_energy_&_ecology_theme", "vendor": "ancorathemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T05:14:21.489892+00:00", "value": {"mitigation_remediation": ["Update the Ekoterra theme to the latest version, which removes the vulnerable file inclusion logic.", "If an update is not available, deactivate or remove the Ekoterra theme to prevent exploitation.", "Configure the web server or WordPress to block direct access to the theme\u2019s directory or limit PHP\u2019s include path to only whitelisted files.", "Review the theme\u2019s PHP files and sanitize any user\u2011supplied file names, ensuring only allowed filenames are processed."], "summary": {"action": "Apply Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "WordPress installations that have deployed AncoraThemes Ekoterra \u2014 NonProfit, Green Energy & Ecology Theme version 1.0.0 or earlier are affected. The flaw resides in the theme\u2019s core files and is triggered when an attacker provides a crafted query parameter that is passed directly to PHP\u2019s include or require statements. Sites running an updated theme or a different theme are not impacted by this issue.", "description_and_impact": "An improperly validated include path within the Ekoterra theme\u2019s PHP code permits an attacker to supply arbitrary filename values, enabling local file inclusion. By forcing the theme to include files residing outside the intended directory, an attacker may read sensitive files such as configuration or code, potentially leading to further exploitation or exposure of confidential data. The flaw is a classic CWE\u201198 vulnerability and is not limited to remote execution but can serve as a foothold for subsequent attacks.", "risk_and_exploitability": "The CVSS base score of 8.1 classifies this as high severity, and while the EPSS score is reported as less than 1\u202f%, indicating low current exploitation probability, the vulnerability remains exploitable if an attacker can craft a request that includes the malicious file path. The attack vector is likely local or remote access to a WordPress page where the theme processes user\u2011supplied parameters. The vulnerability is not listed in the CISA catalog of known exploited vulnerabilities, suggesting no confirmed widespread exploitation as of now."}}}}, "created": "2026-03-06T15:13:40.569979+00:00", "updated": "2026-04-16T05:15:25.481017+00:00", "vendors": ["ancorathemes", "ancorathemes$PRODUCT$ekoterra_-_nonprofit,_green_energy_&_ecology_theme", "wordpress", "wordpress$PRODUCT$wordpress"]}