CVE-2026-27337

WordPress Chronicle - Lifestyle Magazine & Blog WordPress Theme theme <= 1.0 - Local File Inclusion vulnerability

CVSS 8.1 HIGHEPSS 0.5%CWE-98

In short

The Chronicle WordPress theme has a vulnerability that lets attackers read or execute files from the server by manipulating file path inputs. This happens because the theme doesn't properly validate what files it includes, potentially exposing sensitive information or allowing malicious code execution.

Technical detail

The vulnerability is a PHP Local File Inclusion (LFI) flaw arising from improper input validation on filename parameters used in include/require statements (CWE-98). An attacker can supply crafted file paths to access arbitrary files on the server; exploitation requires the ability to influence the affected input parameters, and successful exploitation may lead to information disclosure or code execution depending on accessible files and server configuration.

Summary generated and translated by AI from the official description.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Chronicle - Lifestyle Magazine & Blog WordPress Theme chronicle allows PHP Local File Inclusion.This issue affects Chronicle - Lifestyle Magazine & Blog WordPress Theme: from n/a through <= 1.0.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

AncoraThemes · Chronicle - Lifestyle Magazine & Blog WordPress Theme

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://patchstack.com/database/Wordpress/Theme/chronicle/vulnerability/wordpress-chronicle-lifestyle-magazine-blog-wordpress-theme-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve