CVE-2026-22457
Published: 05 March 2026
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wanderland wanderland allows PHP Local File Inclusion.This issue affects Wanderland: from n/a through <= 1.5.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-22457 by requiring timely patching of the vulnerable PHP include/require statements in the Wanderland WordPress theme.
Requires validation of untrusted filenames prior to processing in PHP include/require to prevent local file inclusion exploitation.
Enforces secure PHP configuration settings like open_basedir restrictions or disabling file inclusion functions to limit LFI impact.
Security SummaryAI
CVE-2026-22457 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, affecting the Mikado-Themes Wanderland WordPress theme. This issue impacts all versions of Wanderland from n/a through 1.5 inclusive, as documented under CWE-98.
Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction, though it requires high attack complexity (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, base score 8.1). Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability, potentially through local file inclusion via uncontrolled PHP include/require statements.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/wanderland/vulnerability/wordpress-wanderland-theme-1-5-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-22457 is a PHP Remote/Local File Inclusion vulnerability in a public-facing WordPress theme, enabling unauthenticated remote code execution or file access, directly mapping to T1190: Exploit Public-Facing Application.