{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22508", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:36.067Z", "datePublished": "2026-03-25T16:14:26.112Z", "dateUpdated": "2026-03-25T16:14:26.112Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "dentalux", "product": "Dentalux", "vendor": "AncoraThemes", "versions": [{"lessThanOrEqual": "<= 3.3", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:09.301Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Dentalux dentalux allows PHP Local File Inclusion.<p>This issue affects Dentalux: from n/a through <= 3.3.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Dentalux dentalux allows PHP Local File Inclusion.This issue affects Dentalux: from n/a through <= 3.3."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:26.112Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/dentalux/vulnerability/wordpress-dentalux-theme-3-3-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Dentalux theme <= 3.3 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Dentalux dentalux allows PHP Local File Inclusion.This issue affects Dentalux: from n/a through <= 3.3."}], "id": "CVE-2026-22508", "lastModified": "2026-03-25T17:16:33.007", "metrics": {}, "published": "2026-03-25T17:16:33.007", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/dentalux/vulnerability/wordpress-dentalux-theme-3-3-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:22:55.329776+00:00", "value": {"mitigation_remediation": ["Upgrade the Dentalux theme to the latest version (3.4 or newer).", "Ensure that any include paths used by the theme are validated and restricted, preventing external influence.", "Consult the AncoraThemes website or WordPress plugin repository for additional security advisories or patches."], "summary": {"action": "Apply Patch", "impact": "Local File Inclusion leading to potential remote code execution"}, "threat_synthesis": {"affected_systems": "The flaw affects the AncoraThemes Dentalux WordPress theme through version 3.3, meaning any installation of Dentalux up to and including 3.3 is susceptible.", "description_and_impact": "This vulnerability arises from insufficient validation of the filename used in PHP include/require statements, allowing an attacker to manipulate the include path and read or execute arbitrary local files. By exploiting the flaw, an attacker could compromise the confidentiality of sensitive data, alter application logic, or execute arbitrary code, thereby undermining the integrity and availability of the affected WordPress site.", "risk_and_exploitability": "The CVSS score is not disclosed in the data, and no EPSS value is available. The vulnerability is not listed in the CISA KEV catalog, indicating no currently known widespread exploitation. Based on the description, the likely attack vector requires an attacker to provide a crafted input that influences the file inclusion path\u2014either via URL parameters or form fields. Once triggered, the flaw could enable remote code execution if the attacker can supply malicious content or gain elevated privileges. The risk remains high due to the potential severity of the impact, even though specific exploitation evidence is not reported."}}}}, "created": "2026-03-25T21:35:12.264061+00:00", "updated": "2026-03-25T21:35:12.264091+00:00", "vendors": []}