{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39677", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:05.155Z", "datePublished": "2026-04-08T08:30:40.378Z", "dateUpdated": "2026-04-08T08:30:40.378Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "emphires", "product": "Emphires", "vendor": "Creatives_Planet", "versions": [{"lessThanOrEqual": "3.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:41.438Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Emphires emphires allows PHP Local File Inclusion.<p>This issue affects Emphires: from n/a through <= 3.9.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Emphires emphires allows PHP Local File Inclusion.This issue affects Emphires: from n/a through <= 3.9."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:40.378Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/emphires/vulnerability/wordpress-emphires-theme-3-9-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Emphires theme <= 3.9 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Emphires emphires allows PHP Local File Inclusion.This issue affects Emphires: from n/a through <= 3.9."}], "id": "CVE-2026-39677", "lastModified": "2026-04-08T21:26:13.410", "metrics": {}, "published": "2026-04-08T09:16:39.360", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/emphires/vulnerability/wordpress-emphires-theme-3-9-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Emphires", "source": "cna", "vendor": "Creatives_Planet"}, "product": "emphires", "vendor": "creatives_planet"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:45:15.438404+00:00", "value": {"mitigation_remediation": ["Upgrade the Emphires theme to a version newer than 3.9."], "summary": {"action": "Apply Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "WordPress installations that employ the Creatives_Planet Emphires theme version 3.9 or earlier are affected. All releases from the first documented version up to and including 3.9 contain the flaw.", "description_and_impact": "The Emphires theme contains a flaw where user-controlled input is passed to PHP's include or require function without proper validation, allowing inclusion of arbitrary local files. This weakness is identified as CWE\u201198. When exploited, an attacker could read sensitive configuration files, view database credentials, or if the included file is PHP code, execute it on the server, thereby compromising data confidentiality and integrity.", "risk_and_exploitability": "No CVSS score is listed, EPSS data is unavailable, and the vulnerability is not included in the CISA KEV catalog. The likely attack vector involves a user\u2011supplied parameter that determines the file path used in the include/require call. Based on the description, it is inferred that the vulnerability could allow a remote attacker to read local files and potentially execute arbitrary PHP code if the site hosts writable PHP scripts, posing a moderate to high risk for publicly accessible WordPress sites that have not been updated."}}}}, "created": "2026-04-08T19:27:54.793772+00:00", "updated": "2026-04-08T19:40:58.449910+00:00", "vendors": ["creatives_planet", "creatives_planet$PRODUCT$emphires", "wordpress", "wordpress$PRODUCT$wordpress"]}