CVE-2026-22369
Published: 20 February 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2026-22369 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion issue that enables PHP Local File Inclusion, affecting the Ironfit WordPress theme developed by AncoraThemes. The vulnerability impacts Ironfit versions from n/a through 1.5 and is associated with CWE-98. It was published on 2026-02-20 and carries a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated remote attackers can exploit this vulnerability over the network without requiring user interaction, though exploitation demands high attack complexity. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially allowing attackers to include and execute local PHP files on the server.
The Patchstack advisory provides details on this Local File Inclusion vulnerability in the WordPress Ironfit theme version 1.5, including mitigation guidance, available at https://patchstack.com/database/Wordpress/Theme/ironfit/vulnerability/wordpress-ironfit-theme-1-5-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an unauthenticated remote file inclusion flaw in a public-facing WordPress theme, directly enabling exploitation of a public-facing application for local file inclusion and potential arbitrary code execution.