CVE-2026-27093 - Vulnerability Details - OpenCVE

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ovatheme Tripgo allows PHP Local File Inclusion.This issue affects Tripgo: from n/a before 1.5.6.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ovatheme	Tripgo
Wordpress	Wordpress

No data.

No data.

References

Link	Providers
https://patchstack.com/database/wordpress/theme/tripgo/vulnerability/wordpress-tripgo-theme-1-5-3-local-file-inclusion-vulnerability?_s_id=cve

History

Thu, 19 Mar 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ovatheme Ovatheme tripgo Wordpress Wordpress wordpress
Vendors & Products		Ovatheme Ovatheme tripgo Wordpress Wordpress wordpress

Thu, 19 Mar 2026 07:15:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ovatheme Tripgo allows PHP Local File Inclusion.This issue affects Tripgo: from n/a before 1.5.6.
Title		WordPress Tripgo theme < 1.5.6 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://patchstack.com/database/wordpress/theme/tripgo/vulnerability/wordpress-tripgo-theme-1-5-3-local-file-inclusion-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-19T06:41:10.108Z

Updated: 2026-03-19T06:41:10.108Z

Reserved: 2026-02-17T13:24:05.456Z

Link: CVE-2026-27093

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-19T07:15:59.410

Modified: 2026-03-19T07:15:59.410

Link: CVE-2026-27093

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27093", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-17T13:24:05.456Z", "datePublished": "2026-03-19T06:41:10.108Z", "dateUpdated": "2026-03-19T06:41:10.108Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-19T06:41:10.108Z"}, "title": "WordPress Tripgo theme < 1.5.6 - Local File Inclusion vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-98", "description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "CAPEC-252 PHP Local File Inclusion"}]}], "affected": [{"vendor": "Ovatheme", "product": "Tripgo", "versions": [{"status": "affected", "version": "n/a", "lessThan": "1.5.6", "changes": [{"at": "1.5.6", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ovatheme Tripgo allows PHP Local File Inclusion.This issue affects Tripgo: from n/a before 1.5.6.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ovatheme Tripgo allows PHP Local File Inclusion.<p>This issue affects Tripgo: from n/a before 1.5.6.</p>"}]}], "references": [{"url": "https://patchstack.com/database/wordpress/theme/tripgo/vulnerability/wordpress-tripgo-theme-1-5-3-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "solutions": [{"lang": "en", "value": "Update the WordPress Tripgo theme to the latest available version (at least 1.5.6).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Update the WordPress Tripgo theme to the latest available version (at least 1.5.6)."}]}], "credits": [{"lang": "en", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}}}