CVE-2026-22514
Local File Inclusion in AncoraThemes Unica
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ancorathemes | unica | to 1.4.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22514 is a Local File Inclusion (LFI) vulnerability found in the WordPress Unica Theme versions up to and including 1.4.1. It allows unauthenticated attackers to include and display local files from the target website by exploiting improper control of filename parameters in PHP include or require statements.
This vulnerability falls under the OWASP Top 10 category A3: Injection, specifically Local File Inclusion, which can lead to unauthorized access to sensitive files on the server.
How can this vulnerability impact me? :
Exploitation of this vulnerability can allow attackers to access and display sensitive local files on the affected website, such as database credentials.
If attackers obtain database credentials, they could potentially take over the entire database depending on the websiteβs configuration, leading to data breaches or complete compromise of the website.
The vulnerability has a high severity score of 8.1, indicating a significant risk that could be exploited in widespread attacks.
What immediate steps should I take to mitigate this vulnerability?
This vulnerability currently has no official patch available.
Patchstack has issued a mitigation rule that can block attacks exploiting this Local File Inclusion vulnerability in the Unica WordPress theme versions up to 1.4.1.
Users are advised to apply this mitigation immediately or seek assistance from their hosting provider or web developer to implement the mitigation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Local File Inclusion (LFI) vulnerability in the Unica WordPress theme can lead to unauthorized access to sensitive information such as database credentials. Exposure of such sensitive data may result in data breaches, which can compromise personal and protected health information.
Such breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data. Failure to prevent exploitation of this vulnerability may lead to violations of these regulations due to unauthorized data disclosure.
Therefore, organizations using the affected theme should apply mitigations promptly to reduce the risk of non-compliance arising from potential data exposure.