CVE-2026-27335

CVE-2026-27335 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Local File Inclusion (CWE-98), affecting the Ekoterra WordPress theme developed by AncoraThemes for NonProfit, Green Energy & Ecology sites. The flaw exists in versions from n/a through 1.0.0, where inadequate validation of filenames in PHP include/require statements allows attackers to include local files. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to potential for significant impacts across confidentiality, integrity, and availability.

Unauthenticated attackers can exploit this over the network with high attack complexity and no user interaction required. Successful exploitation enables reading sensitive local files, potentially leading to disclosure of configuration data, source code, or other server files, and in some cases escalating to remote code execution if controllable files are included. The high impacts reflect the potential for data theft, modification, or denial of service on vulnerable WordPress installations running the affected theme.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/ekoterra/vulnerability/wordpress-ekoterra-nonprofit-green-energy-ecology-theme-theme-1-0-0-local-file-inclusion-vulnerability?_s_id=cve documents the vulnerability, recommending theme updates beyond version 1.0.0 where available or removal of the theme as primary mitigations to prevent exploitation.