{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27340", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-19T09:51:35.296Z", "datePublished": "2026-03-05T05:53:52.325Z", "dateUpdated": "2026-04-28T16:15:02.041Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "apollo", "product": "Apollo | Night Club, DJ Event WordPress Theme", "vendor": "AncoraThemes", "versions": [{"lessThanOrEqual": "1.3.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:28.808Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Apollo | Night Club, DJ Event WordPress Theme apollo allows PHP Local File Inclusion.<p>This issue affects Apollo | Night Club, DJ Event WordPress Theme: from n/a through <= 1.3.1.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Apollo | Night Club, DJ Event WordPress Theme apollo allows PHP Local File Inclusion.This issue affects Apollo | Night Club, DJ Event WordPress Theme: from n/a through <= 1.3.1."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:02.041Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/apollo/vulnerability/wordpress-apollo-night-club-dj-event-wordpress-theme-theme-1-3-1-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Apollo | Night Club, DJ Event WordPress Theme theme <= 1.3.1 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T17:41:42.101466Z", "id": "CVE-2026-27340", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:00:05.202Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27340", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T17:41:42.101466Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:41:04.344Z"}}], "cna": {"title": "WordPress Apollo | Night Club, DJ Event WordPress Theme theme <= 1.3.1 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "AncoraThemes", "product": "Apollo | Night Club, DJ Event WordPress Theme", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.3.1"}], "packageName": "apollo", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:28.808Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/apollo/vulnerability/wordpress-apollo-night-club-dj-event-wordpress-theme-theme-1-3-1-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Apollo | Night Club, DJ Event WordPress Theme apollo allows PHP Local File Inclusion.This issue affects Apollo | Night Club, DJ Event WordPress Theme: from n/a through <= 1.3.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Apollo | Night Club, DJ Event WordPress Theme apollo allows PHP Local File Inclusion.<p>This issue affects Apollo | Night Club, DJ Event WordPress Theme: from n/a through <= 1.3.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:02.041Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27340", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:15:02.041Z", "dateReserved": "2026-02-19T09:51:35.296Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:53:52.325Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Apollo | Night Club, DJ Event WordPress Theme apollo allows PHP Local File Inclusion.This issue affects Apollo | Night Club, DJ Event WordPress Theme: from n/a through <= 1.3.1."}, {"lang": "es", "value": "La vulnerabilidad de control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en un programa PHP ('inclusi\u00f3n remota de ficheros PHP') en AncoraThemes Apollo | Night Club, DJ Event tema de WordPress apollo permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Apollo | Night Club, DJ Event tema de WordPress: desde n/a hasta &lt;= 1.3.1."}], "id": "CVE-2026-27340", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:24.627", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/apollo/vulnerability/wordpress-apollo-night-club-dj-event-wordpress-theme-theme-1-3-1-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.3.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Apollo | Night Club, DJ Event WordPress Theme", "source": "cna", "vendor": "AncoraThemes"}, "product": "apollo_|_night_club,_dj_event_wordpress_theme", "vendor": "ancorathemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T05:13:41.060447+00:00", "value": {"mitigation_remediation": ["Update the Apollo theme to the latest version released by AncoraThemes, if an update that addresses the LFI flaw is available.", "If an immediate upgrade is impractical, modify the theme to restrict include paths to a whitelist and perform strict validation of any filename input before inclusion.", "Disable file editing and restrict the upload of PHP files through the WordPress admin interface to prevent malicious file deployment."], "summary": {"action": "Patch Immediately", "impact": "Local File Inclusion with potential for remote code execution"}, "threat_synthesis": {"affected_systems": "The flaw affects all installations of the Apollo | Night Club, DJ Event WordPress Theme from the first release through version 1.3.1. The targeted product is maintained by AncoraThemes and is used by WordPress sites that have installed this theme.", "description_and_impact": "The vulnerability arises from improper control of filenames passed to PHP include/require statements in the AncoraThemes Apollo WordPress theme. An attacker who can influence the filename path can direct the application to read arbitrary local files or, if writeable, execute malicious PHP code. This flaw is rated CVSS 8.1, indicating a high risk of compromising confidentiality, integrity, or availability of the affected site.", "risk_and_exploitability": "The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting low current exploitation probability. However, exploitation would likely occur via an HTTP request that supplies a crafted filename parameter to the theme\u2019s include logic. No authentication or elevated privileges are required, which increases the threat surface for attackers on exposed sites."}}}}, "created": "2026-03-06T15:13:36.285711+00:00", "updated": "2026-04-16T05:15:25.480363+00:00", "vendors": ["ancorathemes", "ancorathemes$PRODUCT$apollo_|_night_club,_dj_event_wordpress_theme", "wordpress", "wordpress$PRODUCT$wordpress"]}