{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39684", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:58:10.483Z", "datePublished": "2026-04-08T08:30:42.529Z", "dateUpdated": "2026-04-08T08:30:42.529Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "organicfood", "product": "OrganicFood", "vendor": "UnTheme", "versions": [{"lessThanOrEqual": "3.6.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:42.556Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in UnTheme OrganicFood organicfood allows PHP Local File Inclusion.<p>This issue affects OrganicFood: from n/a through <= 3.6.4.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in UnTheme OrganicFood organicfood allows PHP Local File Inclusion.This issue affects OrganicFood: from n/a through <= 3.6.4."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:42.529Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/organicfood/vulnerability/wordpress-organicfood-theme-3-6-4-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress OrganicFood theme <= 3.6.4 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in UnTheme OrganicFood organicfood allows PHP Local File Inclusion.This issue affects OrganicFood: from n/a through <= 3.6.4."}], "id": "CVE-2026-39684", "lastModified": "2026-04-08T21:26:13.410", "metrics": {}, "published": "2026-04-08T09:16:40.273", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/organicfood/vulnerability/wordpress-organicfood-theme-3-6-4-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.6.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "OrganicFood", "source": "cna", "vendor": "UnTheme"}, "product": "organicfood", "vendor": "untheme"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:32:03.399200+00:00", "value": {"mitigation_remediation": ["Upgrade the OrganicFood theme to the latest available version if one exists beyond 3.6.4.", "If no newer version is available, consider replacing the theme with a secure alternative or disabling the theme to eliminate the vulnerable code path.", "Verify that file system permissions for the WordPress installation prevent unauthorized access to sensitive directories such as wp-config.php and uploads.", "Monitor site logs for anomalous file read or script execution attempts and keep the core WordPress installation up to date."], "summary": {"action": "Apply Patch", "impact": "Local File Inclusion allowing arbitrary file read or code execution"}, "threat_synthesis": {"affected_systems": "The issue affects the UnTheme OrganicFood theme used in WordPress installations. All versions from the earliest revision through version 3.6.4 inclusive are vulnerable; the CVE does not specify a minimum affected release.", "description_and_impact": "This vulnerability is a PHP local file inclusion flaw caused by improper validation of filenames in an include/require statement in the UnTheme OrganicFood WordPress theme. An attacker who can manipulate the path argument can read sensitive files stored on the server or execute arbitrary PHP code, potentially leading to data disclosure, defacement, or complete site compromise. The weakness corresponds to CWE\u201198: Improper Control of Filename for Include/Require Statement.", "risk_and_exploitability": "The CVSS score is not provided, but local file inclusion vulnerabilities typically carry high severity and can enable remote code execution when the attacker controls the include path. EPSS information is unavailable and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is the injection or manipulation of input that reaches the theme\u2019s include/require statement, inferred from the description. The risk remains significant due to the potential for arbitrary code execution without needing prior authentication."}}}}, "created": "2026-04-08T19:27:50.665353+00:00", "updated": "2026-04-08T19:40:36.714289+00:00", "vendors": ["untheme", "untheme$PRODUCT$organicfood", "wordpress", "wordpress$PRODUCT$wordpress"]}