{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22515", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:43.225Z", "datePublished": "2026-03-25T16:14:27.982Z", "dateUpdated": "2026-03-26T18:31:40.415Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "vegadays", "product": "VegaDays", "vendor": "AncoraThemes", "versions": [{"lessThanOrEqual": "<= 1.2.0", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:11.439Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes VegaDays vegadays allows PHP Local File Inclusion.<p>This issue affects VegaDays: from n/a through <= 1.2.0.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes VegaDays vegadays allows PHP Local File Inclusion.This issue affects VegaDays: from n/a through <= 1.2.0."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:27.982Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/vegadays/vulnerability/wordpress-vegadays-theme-1-2-0-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress VegaDays theme <= 1.2.0 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22515", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T18:24:39.588314Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:31:40.415Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22515", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T18:24:39.588314Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:26:02.559Z"}}], "cna": {"title": "WordPress VegaDays theme <= 1.2.0 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "affected": [{"vendor": "AncoraThemes", "product": "VegaDays", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.2.0"}], "packageName": "vegadays", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:11.439Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/vegadays/vulnerability/wordpress-vegadays-theme-1-2-0-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes VegaDays vegadays allows PHP Local File Inclusion.This issue affects VegaDays: from n/a through <= 1.2.0.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes VegaDays vegadays allows PHP Local File Inclusion.<p>This issue affects VegaDays: from n/a through <= 1.2.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:27.982Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22515", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:31:40.415Z", "dateReserved": "2026-01-07T13:44:43.225Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:27.982Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes VegaDays vegadays allows PHP Local File Inclusion.This issue affects VegaDays: from n/a through <= 1.2.0."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en el programa PHP ('Inclusi\u00f3n Remota de Ficheros PHP') vulnerabilidad en AncoraThemes VegaDays vegadays permite la Inclusi\u00f3n Local de Ficheros PHP. Este problema afecta a VegaDays: desde n/a hasta &lt;= 1.2.0."}], "id": "CVE-2026-22515", "lastModified": "2026-03-26T19:16:35.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:33.953", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/vegadays/vulnerability/wordpress-vegadays-theme-1-2-0-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "VegaDays", "source": "cna", "vendor": "AncoraThemes"}, "product": "vegadays", "vendor": "ancorathemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T17:49:08.462791+00:00", "value": {"mitigation_remediation": ["Update the VegaDays theme to a version newer than 1.2.0 or until an official patch is released.", "Verify that all include/require statements in the theme use safe, hard\u2011coded paths and reject user input.", "Restrict the web server\u2019s readable file space or adjust file permissions to prevent arbitrary file access in the WordPress installation."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion that can lead to remote code execution or disclosure of sensitive files"}, "threat_synthesis": {"affected_systems": "The issue affects the AncoraThemes VegaDays WordPress theme version 1.2.0 and earlier. Users deploying these theme versions on any WordPress installation are at risk if the theme\u2019s include paths are exposed to client input.", "description_and_impact": "This vulnerability arises from improper control of filenames in PHP include/require statements within the VegaDays theme. An attacker can supply a crafted path that causes the theme to include arbitrary files from the local filesystem, potentially executing malicious code or revealing confidential data. The weakness is classified as CWE-98, implying that the application does not validate user-supplied file names before inclusion.", "risk_and_exploitability": "The CVSS score is not provided, but Local File Inclusion is generally considered high risk due to its potential to enable remote code execution. EPSS is unavailable, and the vulnerability is not recorded in the CISA KEV catalog, meaning it may still be actively exploited in the wild. Attackers would likely exploit this via a user-controlled parameter that dictates the include path, and success requires that the targeted file be readable by the web server process and that the file contents can be executed."}}}}, "created": "2026-03-25T21:35:05.231708+00:00", "updated": "2026-03-26T11:40:18.614981+00:00", "vendors": ["ancorathemes", "ancorathemes$PRODUCT$vegadays", "wordpress", "wordpress$PRODUCT$wordpress"]}