CVE-2026-27326
Received Received - Intake
Local File Inclusion in AC Services WordPress Theme

Publication date: 2026-03-05

Last updated on: 2026-03-09

Assigner: Patchstack

Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme window-ac-services allows PHP Local File Inclusion.This issue affects AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme: from n/a through <= 1.2.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-09
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27326
EUVD
EUVD-2026-9605
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
axiomthemes ac_services to 1.2.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27326 is a Local File Inclusion (LFI) vulnerability found in the WordPress theme "AC Services | HVAC, Air Conditioning & Heating Company" versions up to and including 1.2.5.'}, {'type': 'paragraph', 'content': 'This vulnerability allows unauthenticated attackers to manipulate the theme to include and display local files from the target website. Essentially, attackers can exploit improper control of filename parameters used in PHP include or require statements.'}, {'type': 'paragraph', 'content': 'By exploiting this flaw, attackers can access sensitive files on the server, such as those containing database credentials, which may lead to further compromise of the website.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'Exploitation of this vulnerability can lead to unauthorized disclosure of sensitive files on your website.'}, {'type': 'paragraph', 'content': "Attackers could obtain critical information like database credentials, potentially resulting in a complete database takeover depending on your site's configuration."}, {'type': 'paragraph', 'content': 'This can compromise the confidentiality, integrity, and availability of your website and its data.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is unauthenticated and highly dangerous, it is expected to be actively exploited in the wild.'}] [1]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

This vulnerability is a high-priority Local File Inclusion (LFI) affecting the AC Services WordPress theme versions up to 1.2.5, allowing unauthenticated attackers to include and display local files.

Since no official patch is currently available, users are strongly advised to apply Patchstack’s mitigation rule which blocks attacks exploiting this flaw until an official patch is released.

Applying this mitigation immediately is critical to protect your website from potential exploitation that could expose sensitive files and lead to database takeover.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27326. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart