CVE-2026-22371
Published: 20 February 2026
Description
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Security Summary
CVE-2026-22371 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion issue that enables PHP Local File Inclusion. It affects the Gustavo WordPress theme developed by AncoraThemes, impacting all versions from n/a through 1.2.2.
The vulnerability carries a CVSS v3.1 base score of 8.1 (High), with an attack vector of network (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Unauthenticated remote attackers can exploit it to perform local file inclusion, potentially allowing them to read sensitive files, execute arbitrary code, modify data, or disrupt service on affected WordPress installations running the vulnerable theme.
Patchstack has documented this local file inclusion vulnerability specific to the Gustavo WordPress theme version 1.2.2 in their database.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
LFI in public-facing WordPress theme enables T1190 (exploit public-facing app), facilitates T1005 (data from local system via file access), and T1552.001 (credentials in files like wp-config.php).