{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32504", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:07.664Z", "datePublished": "2026-03-25T16:15:01.383Z", "dateUpdated": "2026-03-25T16:15:01.383Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "vintwood", "product": "VintWood", "vendor": "CreativeWS", "versions": [{"changes": [{"at": "1.1.9", "status": "unaffected"}], "lessThanOrEqual": "<= 1.1.8", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Phat RiO | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:39.292Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS VintWood vintwood allows PHP Local File Inclusion.<p>This issue affects VintWood: from n/a through <= 1.1.8.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS VintWood vintwood allows PHP Local File Inclusion.This issue affects VintWood: from n/a through <= 1.1.8."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:01.383Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/vintwood/vulnerability/wordpress-vintwood-theme-1-1-8-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress VintWood theme <= 1.1.8 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS VintWood vintwood allows PHP Local File Inclusion.This issue affects VintWood: from n/a through <= 1.1.8."}], "id": "CVE-2026-32504", "lastModified": "2026-03-25T17:17:02.490", "metrics": {}, "published": "2026-03-25T17:17:02.490", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/vintwood/vulnerability/wordpress-vintwood-theme-1-1-8-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:32:05.705715+00:00", "value": {"mitigation_remediation": ["Update the VintWood theme to a version newer than 1.1.8 that contains the LFI fix.", "If an update is not available, disable or delete the VintWood theme to eliminate the vulnerable include logic.", "Review the site for any URLs or inputs that could trigger the include behavior, and restrict or sanitize them if needed.", "Check for additional vendor patches or security advisories in the same or newer theme releases."], "summary": {"action": "Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "WordPress installations that use the CreativeWS VintWood theme version 1.1.8 or earlier are affected.", "description_and_impact": "The VintWood theme for WordPress contains an improper control of the filename parameter used in PHP include/require statements. This flaw permits local file inclusion, meaning an attacker can cause the server to read or execute arbitrary local files. If the included file contains executable code, the attacker could run PHP scripts, potentially taking full control of the web application or leaking sensitive data.", "risk_and_exploitability": "The vulnerability is classified as a local file inclusion (CWE\u201198). No CVSS score or EPSS data is available, and it is not listed in the CISA KEV catalog, so the published severity and exploitation likelihood cannot be precisely quantified. Based on the description, the attack vector appears to be through the theme\u2019s handling of filenames, which could be triggered by a request to the site that provides a crafted path. If an attacker can influence the value used in the include/require, they could read arbitrary server files or execute code, leading to compromise of confidentiality, integrity, or availability. The overall risk is considered moderate to high, especially in environments where the theme is in active use and the site allows arbitrary file inclusion paths."}}}}, "created": "2026-03-25T21:47:35.659829+00:00", "updated": "2026-03-25T21:47:35.659860+00:00", "vendors": []}