CVE-2026-22515

WordPress VegaDays theme <= 1.2.0 - Local File Inclusion vulnerability

CVSS 8.1 HIGHEPSS 0.5%CWE-98

In short

The WordPress VegaDays theme up to version 1.2.0 has a vulnerability that allows attackers to include and execute arbitrary files from the server. This can lead to unauthorized access to sensitive files or remote code execution on the website.

Technical detail

CWE-98 (improper control of filename in include/require statements) in VegaDays theme <= 1.2.0 allows unauthenticated attackers to perform PHP Local File Inclusion (LFI) via unvalidated file path parameters. Successful exploitation enables reading arbitrary files or executing malicious code on the affected server.

Summary generated and translated by AI from the official description.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes VegaDays vegadays allows PHP Local File Inclusion.This issue affects VegaDays: from n/a through <= 1.2.0.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

AncoraThemes · VegaDays

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://patchstack.com/database/Wordpress/Theme/vegadays/vulnerability/wordpress-vegadays-theme-1-2-0-local-file-inclusion-vulnerability?_s_id=cve