CVE-2026-22377

High

Published: 20 February 2026

Published

20 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 38.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Saveo saveo allows PHP Local File Inclusion.This issue affects Saveo: from n/a through <= 1.1.2.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 mandates information input validation at web interfaces, directly preventing malicious filenames from exploiting improper PHP include/require controls in the Saveo theme.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, ensuring the Local File Inclusion vulnerability in Saveo versions through 1.1.2 is patched to eliminate the improper filename handling.

RA-5 Vulnerability Monitoring and Scanning good match

detect

RA-5 implements vulnerability monitoring and scanning to identify the PHP LFI vulnerability (CVE-2026-22377) in the Saveo WordPress theme.

Security SummaryAI

CVE-2026-22377 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Saveo WordPress theme developed by AncoraThemes. This issue affects Saveo versions from n/a through 1.1.2 and is associated with CWE-98. Published on 2026-02-20, it carries a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction, though it requires high attack complexity. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing attackers to read sensitive local files or execute arbitrary code through improper PHP include/require handling.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/saveo/vulnerability/wordpress-saveo-theme-1-1-2-local-file-inclusion-vulnerability?_s_id=cve details this Local File Inclusion vulnerability in Saveo version 1.1.2.

Details

CWE(s): CWE-98

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a public-facing PHP Local File Inclusion (LFI) in a WordPress theme, directly exploitable over the network to achieve RCE or file access, mapping to Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/saveo/vulnerability/wordpress-saveo-theme-1-1-2-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com