{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32392", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:11:09.667Z", "datePublished": "2026-03-13T11:42:10.798Z", "dateUpdated": "2026-04-29T09:51:58.844Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "greenly", "product": "Greenly", "vendor": "Creatives_Planet", "versions": [{"changes": [{"at": "8.2", "status": "unaffected"}], "lessThanOrEqual": "8.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:21.397Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Greenly greenly allows PHP Local File Inclusion.<p>This issue affects Greenly: from n/a through <= 8.1.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Greenly greenly allows PHP Local File Inclusion.This issue affects Greenly: from n/a through <= 8.1."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:58.844Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/greenly/vulnerability/wordpress-greenly-theme-8-1-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Greenly theme <= 8.1 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T15:42:34.712250Z", "id": "CVE-2026-32392", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:42:58.079Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32392", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T15:42:34.712250Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T15:40:32.918Z"}}], "cna": {"title": "WordPress Greenly theme <= 8.1 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "affected": [{"vendor": "Creatives_Planet", "product": "Greenly", "versions": [{"status": "affected", "changes": [{"at": "8.2", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 8.1"}], "packageName": "greenly", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-13T12:41:13.859Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/greenly/vulnerability/wordpress-greenly-theme-8-1-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Greenly greenly allows PHP Local File Inclusion.This issue affects Greenly: from n/a through <= 8.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Greenly greenly allows PHP Local File Inclusion.<p>This issue affects Greenly: from n/a through <= 8.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-13T11:42:10.798Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32392", "state": "PUBLISHED", "dateUpdated": "2026-03-16T15:42:58.079Z", "dateReserved": "2026-03-12T11:11:09.667Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:10.798Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Greenly greenly allows PHP Local File Inclusion.This issue affects Greenly: from n/a through <= 8.1."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en un programa PHP, vulnerabilidad ('inclusi\u00f3n remota de ficheros PHP') en Creatives_Planet Greenly greenly permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Greenly: desde n/a hasta &lt;= 8.1."}], "id": "CVE-2026-32392", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:54:54.733", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/greenly/vulnerability/wordpress-greenly-theme-8-1-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "greenly", "vendor": "creatives_planet"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T16:57:43.450813+00:00", "value": {"mitigation_remediation": ["Upgrade the Greenly theme to the latest release (version > 8.1) if available.", "If no update is available, review the theme developer\u2019s advisories or support channels for a patch.", "As a temporary workaround, restrict PHP include paths to a safe directory and validate filename inputs before use.", "Consider disabling unnecessary PHP functions such as include() and require() through server configuration if the theme\u2019s functionality permits.", "Regularly monitor the theme\u2019s security advisories and apply updates promptly."], "summary": {"action": "Patch", "impact": "Local File Inclusion leading to code execution"}, "threat_synthesis": {"affected_systems": "The issue impacts the Creatives_Planet Greenly theme for WordPress for all releases up to and including version 8.1. No specific patch or later versions are listed, so any deployment using the theme version 8.1 or earlier is considered vulnerable. The affected CPEs are not provided; the vendor and product identifiers are Creatives_Planet:Greenly.", "description_and_impact": "The vulnerability arises from improper validation of filenames used in a PHP include/require statement within the Greenly WordPress theme. The CVE description states that this flaw allows PHP Local File Inclusion, which is identified as CWE-98. Local file inclusion can enable an attacker to read or execute arbitrary files on the web server, potentially leading to the execution of malicious code, compromise of confidential data, or service disruption.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests the likelihood of exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector would involve manipulating a local filename parameter within the theme\u2019s PHP code. It is inferred that an attacker could supply a crafted filename to include arbitrary local files, potentially leading to exploitation. The description does not explicitly state the method of exploitation, so this inference is based on the nature of the vulnerability described."}}}}, "created": "2026-03-16T09:34:19.569012+00:00", "updated": "2026-03-23T12:04:09.097120+00:00", "vendors": ["creatives_planet", "creatives_planet$PRODUCT$greenly", "wordpress", "wordpress$PRODUCT$wordpress"]}