CVE-2026-22423
Published: 05 March 2026
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes SetSail setsail allows PHP Local File Inclusion.This issue affects SetSail: from n/a through <= 1.8.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by validating user-supplied filenames in PHP include/require statements to prevent local file inclusion.
Restricts filename inputs to whitelisted safe paths, blocking exploitation of improper filename control in the SetSail theme.
Remediates the specific PHP Local File Inclusion flaw in SetSail versions through 1.8 by applying patches from advisories like Patchstack.
Security SummaryAI
CVE-2026-22423 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the SetSail WordPress theme developed by Select-Themes. This issue affects SetSail versions from n/a through 1.8 inclusive. Published on 2026-03-05, it is associated with CWE-98 and carries a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit the vulnerability remotely over the network, though it requires high attack complexity and no user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing attackers to include and execute local files on the server.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/setsail/vulnerability/wordpress-setsail-theme-1-8-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a local file inclusion (LFI) flaw in a public-facing WordPress theme, directly enabling exploitation of a public-facing application for remote access, data disclosure, and potential RCE.