CVE-2026-22368

High

Published: 20 February 2026

Published

20 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 38.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Redy redy allows PHP Local File Inclusion.This issue affects Redy: from n/a through <= 1.0.2.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation directly mitigates this CVE by patching the vulnerable Redy WordPress theme to fix the improper filename control in PHP include/require.

SI-10 Information Input Validation good match

prevent

Information input validation ensures filenames provided to PHP include/require statements are properly checked to prevent local file inclusion exploitation.

CM-6 Configuration Settings good match

prevent

Configuration settings enforce secure PHP configurations such as open_basedir restrictions to limit file access and block LFI attempts outside authorized paths.

Security SummaryAI

CVE-2026-22368 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified under CWE-98 and described as enabling PHP Local File Inclusion, affecting the axiomthemes Redy theme for WordPress in versions from n/a through 1.0.2. Published on 2026-02-20, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated remote attacker can exploit this vulnerability over the network, though it requires high attack complexity and no user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, allowing local file inclusion that could lead to sensitive data exposure, arbitrary code execution, or system compromise on affected WordPress installations running the vulnerable Redy theme.

The Patchstack advisory documents this Local File Inclusion vulnerability specifically in WordPress Redy theme version 1.0.2, providing details for security practitioners via their vulnerability database.

Details

CWE(s): CWE-98

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a local file inclusion (LFI) flaw in a public-facing WordPress theme, exploitable remotely without authentication to include and execute local files, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/redy/vulnerability/wordpress-redy-theme-1-0-2-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com