{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27988", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:12:49.962Z", "datePublished": "2026-03-05T05:54:04.846Z", "dateUpdated": "2026-04-28T16:45:04.564Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "equadio", "product": "Equadio", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "1.1.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:26.009Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Equadio equadio allows PHP Local File Inclusion.<p>This issue affects Equadio: from n/a through <= 1.1.3.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Equadio equadio allows PHP Local File Inclusion.This issue affects Equadio: from n/a through <= 1.1.3."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:03.606Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/equadio/vulnerability/wordpress-equadio-theme-1-1-3-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Equadio theme <= 1.1.3 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T20:43:06.467788Z", "id": "CVE-2026-27988", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T16:45:04.564Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-27988", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T20:43:06.467788Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T20:41:59.469Z"}}], "cna": {"title": "WordPress Equadio theme <= 1.1.3 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "affected": [{"vendor": "ThemeREX", "product": "Equadio", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.1.3"}], "packageName": "equadio", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-05T06:52:02.632Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/equadio/vulnerability/wordpress-equadio-theme-1-1-3-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Equadio equadio allows PHP Local File Inclusion.This issue affects Equadio: from n/a through <= 1.1.3.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Equadio equadio allows PHP Local File Inclusion.<p>This issue affects Equadio: from n/a through <= 1.1.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-05T05:54:04.846Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27988", "state": "PUBLISHED", "dateUpdated": "2026-03-06T20:43:32.626Z", "dateReserved": "2026-02-25T12:12:49.962Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:54:04.846Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Equadio equadio allows PHP Local File Inclusion.This issue affects Equadio: from n/a through <= 1.1.3."}, {"lang": "es", "value": "La vulnerabilidad de control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en un programa PHP ('inclusi\u00f3n remota de ficheros PHP') en ThemeREX Equadio equadio permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Equadio: desde n/a hasta &lt;= 1.1.3."}], "id": "CVE-2026-27988", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:31.050", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/equadio/vulnerability/wordpress-equadio-theme-1-1-3-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "equadio", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T05:06:18.714433+00:00", "value": {"mitigation_remediation": ["Upgrade the Equadio theme to the latest available version from ThemeREX, which should contain a fix for this LFI flaw.", "If an update cannot be performed immediately, deactivate or uninstall the Equadio theme to prevent the vulnerable code from executing.", "Ensure that any custom code or child themes do not use user-supplied data in include/require calls; sanitize or hard\u2011code the file paths to avoid arbitrary file inclusion."], "summary": {"action": "Apply Patch", "impact": "Unrestricted Local File Inclusion in the WordPress Equadio theme that may lead to arbitrary code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability is found in the ThemeREX Equadio theme, affecting all releases from the earliest available version up to and including version 1.1.3. No additional version ranges are specified in the advisory, so any installation of Equadio 1.1.3 or older is potentially insecure.", "description_and_impact": "The Equadio theme contains a flaw where user-controlled data can be passed directly to a PHP include/require statement without proper validation or sanitization. This improper control of the filename field enables an attacker to read or execute malicious files on the server, potentially giving them the ability to run arbitrary code or access restricted files.", "risk_and_exploitability": "The reported CVSS score of 8.1 categorizes it as High severity. The EPSS score of less than 1% indicates that, as of the latest assessment, the probability of exploitation is low, and it has not been listed in the CISA KEV catalog. However, because the flaw permits local file inclusion, a compromised WordPress installation could be leveraged to execute arbitrary scripts if an attacker controls the server\u2019s filesystem or can supply a path that resolves to a dangerous file."}}}}, "created": "2026-03-06T15:11:53.012540+00:00", "updated": "2026-04-16T05:15:25.470252+00:00", "vendors": ["themerex", "themerex$PRODUCT$equadio", "wordpress", "wordpress$PRODUCT$wordpress"]}