CVE-2026-22514
WordPress Unica theme <= 1.4.1 - Local File Inclusion vulnerability
In short
The WordPress Unica theme version 1.4.1 and earlier has a vulnerability that allows attackers to read files from the server by manipulating input parameters. This could expose sensitive information like configuration files containing database credentials.
Technical detail
The vulnerability exists in improper input validation on filename parameters used in PHP include/require statements, enabling local file inclusion (LFI). An unauthenticated attacker can craft requests to include arbitrary files from the server filesystem, potentially disclosing sensitive configuration data or application source code.
Summary generated and translated by AI from the official description.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Unica unica allows PHP Local File Inclusion.This issue affects Unica: from n/a through <= 1.4.1.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
AncoraThemes · UnicaWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →