{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22516", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:43.225Z", "datePublished": "2026-03-25T16:14:28.255Z", "dateUpdated": "2026-03-26T18:31:40.207Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "wizors-investments", "product": "Wizor's", "vendor": "AncoraThemes", "versions": [{"lessThanOrEqual": "<= 2.12", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:11.779Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Wizor's wizors-investments allows PHP Local File Inclusion.<p>This issue affects Wizor's: from n/a through <= 2.12.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Wizor's wizors-investments allows PHP Local File Inclusion.This issue affects Wizor's: from n/a through <= 2.12."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:28.255Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/wizors-investments/vulnerability/wordpress-wizor-s-theme-2-12-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Wizor's theme <= 2.12 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22516", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T18:24:38.540218Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:31:40.207Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22516", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T18:24:38.540218Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:26:00.146Z"}}], "cna": {"title": "WordPress Wizor's theme <= 2.12 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "affected": [{"vendor": "AncoraThemes", "product": "Wizor's", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 2.12"}], "packageName": "wizors-investments", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:11.779Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/wizors-investments/vulnerability/wordpress-wizor-s-theme-2-12-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Wizor's wizors-investments allows PHP Local File Inclusion.This issue affects Wizor's: from n/a through <= 2.12.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Wizor's wizors-investments allows PHP Local File Inclusion.<p>This issue affects Wizor's: from n/a through <= 2.12.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:28.255Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22516", "state": "PUBLISHED", "dateUpdated": "2026-03-26T18:31:40.207Z", "dateReserved": "2026-01-07T13:44:43.225Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:28.255Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Wizor's wizors-investments allows PHP Local File Inclusion.This issue affects Wizor's: from n/a through <= 2.12."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en un programa PHP, la vulnerabilidad de 'inclusi\u00f3n remota de ficheros de PHP' en AncoraThemes Wizor's wizors-investments permite la inclusi\u00f3n local de ficheros de PHP. Este problema afecta a Wizor's: desde n/a hasta &lt;= 2.12."}], "id": "CVE-2026-22516", "lastModified": "2026-03-26T19:16:36.107", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:34.090", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/wizors-investments/vulnerability/wordpress-wizor-s-theme-2-12-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.12]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "inferred", "scores": [{"score": 100.0, "source": "inferred"}]}, "product": "wizor's", "vendor": "ancorathemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T17:48:50.157970+00:00", "value": {"mitigation_remediation": ["Update the Wizor's theme to the latest release (versions beyond 2.12).", "If an update is not available, deactivate or remove the Wizor's theme from the WordPress installation.", "Consider implementing input validation to ensure that only trusted file paths are used in include or require statements, and monitor server logs for attempts to include unintended files."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "AncoraThemes Wizor's WordPress theme, common on WordPress installations that use the Wizor's theme, versions up to and including 2.12 are affected. The vulnerability is present for all versions from the first release through version 2.12.", "description_and_impact": "The vulnerability arises from improper control of file names used in PHP include/require statements within AncoraThemes Wizor's WordPress theme. This allows an attacker to supply a crafted parameter that causes the PHP interpreter to include an arbitrary local file. Depending on the file chosen, the attacker can read sensitive files or execute arbitrary PHP code. The weakness is a classic example of Local File Inclusion (CWE\u201198).", "risk_and_exploitability": "The CVSS score is not publicly provided, and the EPSS score is unavailable, so the exact severity cannot be quantified from the supplied data. However, because the flaw can be triggered via an HTTP request that includes a user controllable parameter, the exploitation path is straightforward if an attacker can manipulate inbound traffic to the site. If the attacker succeeds, local file inclusion can lead to disclosure of system files, configuration data, or remote code execution, making the risk potentially high, especially on exposed websites. The vulnerability is not listed in CISA\u2019s KEV catalog, so there is no indication of known exploitation at this time."}}}}, "created": "2026-03-25T21:35:04.297729+00:00", "updated": "2026-03-26T11:40:17.651959+00:00", "vendors": ["ancorathemes", "ancorathemes$PRODUCT$wizor's", "wordpress", "wordpress$PRODUCT$wordpress"]}