{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22512", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-07T13:44:36.068Z", "datePublished": "2026-03-25T16:14:27.180Z", "dateUpdated": "2026-03-25T16:14:27.180Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "roisin", "product": "Roisin", "vendor": "Elated-Themes", "versions": [{"lessThanOrEqual": "<= 1.2.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:10.463Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Roisin roisin allows PHP Local File Inclusion.<p>This issue affects Roisin: from n/a through <= 1.2.1.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Roisin roisin allows PHP Local File Inclusion.This issue affects Roisin: from n/a through <= 1.2.1."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:27.180Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/roisin/vulnerability/wordpress-roisin-theme-1-2-1-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Roisin theme <= 1.2.1 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Roisin roisin allows PHP Local File Inclusion.This issue affects Roisin: from n/a through <= 1.2.1."}], "id": "CVE-2026-22512", "lastModified": "2026-03-25T17:16:33.550", "metrics": {}, "published": "2026-03-25T17:16:33.550", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/roisin/vulnerability/wordpress-roisin-theme-1-2-1-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T17:50:04.674087+00:00", "value": {"mitigation_remediation": ["Update the Roisin theme to a version newer than 1.2.1.", "If an update is not immediately available, temporarily deactivate the Roisin theme or switch to a different theme.", "Verify that file permissions on the WordPress upload and theme directories are restrictive and do not allow write access to untrusted users.", "Monitor server logs for attempts to request suspicious files and review activity for signs of exploitation.", "If a patch cannot be applied, apply a configuration\u2011based workaround by blocking or sanitizing user input that could influence the include path, although this is a secondary measure."], "summary": {"action": "Patch Immediately", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "This issue affects the Elated-Themes Roisin theme version 1.2.1 and any earlier releases. WordPress installations using the Roisin theme without updating to a version newer than 1.2.1 are exposed. The vulnerability is specific to the theme itself and does not impact other WordPress components unless the theme is actively used.", "description_and_impact": "The Roisin theme for WordPress contains an improper control of the filename used in a PHP include/require statement. An attacker can supply a crafted input that causes the application to include a local file chosen by the attacker. This flaw permits an attacker to read sensitive local files or, if the application allows arbitrary PHP execution, to run malicious code on the server. The vulnerability leads to a loss of confidentiality and may provide a foothold for further compromise.", "risk_and_exploitability": "No CVSS score is supplied and the EPSS score is unavailable; the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a web request that supplies a malicious file path. Due to the nature of a local file inclusion flaw, exploitation would typically require the ability to influence the include path, which may be limited to unauthenticated interaction if the theme processes user\u2011supplied input. Nevertheless, the potential consequences\u2014data exposure or code execution\u2014make the risk significant, and administrators should treat the vulnerability as high priority."}}}}, "created": "2026-03-25T21:35:08.338487+00:00", "updated": "2026-03-25T21:35:08.338527+00:00", "vendors": []}