CVE-2026-22367
Published: 20 February 2026
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2026-22367 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the AncoraThemes Coworking WordPress theme. This issue affects Coworking versions from n/a through 1.6.1. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-98.
The vulnerability can be exploited by unauthenticated attackers with network access, requiring high attack complexity and no user interaction. Successful exploitation allows high-impact compromises to confidentiality, integrity, and availability, such as including and potentially executing arbitrary local PHP files on the server.
Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Theme/coworking/vulnerability/wordpress-coworking-theme-1-6-1-local-file-inclusion-vulnerability?_s_id=cve, provide further details on the vulnerability and recommended mitigations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated remote exploitation of public-facing WordPress theme (T1190) enables arbitrary local file access via LFI (T1005), potentially leading to code execution.