CVE-2026-22432

WordPress Woopy theme <= 1.2 - Local File Inclusion vulnerability

CVSS 8.1 HIGHEPSS 0.5%CWE-98

In short

The Woopy WordPress theme up to version 1.2 contains a vulnerability that allows attackers to include and execute local files on the server. This can lead to unauthorized access to sensitive files or remote code execution if exploited.

Technical detail

CWE-98 (improper control of filename for include/require statements) in Woopy <= 1.2 allows local file inclusion (LFI) through inadequately sanitized include/require parameters. An attacker with web access can manipulate file path inputs to include arbitrary local files, potentially leading to information disclosure or code execution depending on file accessibility and context.

Summary generated and translated by AI from the official description.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Woopy woopy allows PHP Local File Inclusion.This issue affects Woopy: from n/a through <= 1.2.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

AncoraThemes · Woopy

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://patchstack.com/database/Wordpress/Theme/woopy/vulnerability/wordpress-woopy-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve