Cyber Posture

CVE-2026-22502

High

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 37.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Mr. Cobbler mr-cobbler allows PHP Local File Inclusion.This issue affects Mr. Cobbler: from n/a through <= 1.1.9.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the vulnerability by requiring timely patching of the flawed PHP include/require statements in the Mr. Cobbler WordPress theme.

SI-10 Information Input Validation good match
prevent

Requires validation of filenames supplied to PHP include/require functions to prevent local file inclusion via improper input handling.

SC-7 Boundary Protection partial match
preventdetect

Boundary protection with web application firewalls blocks or detects remote exploitation attempts targeting the file inclusion flaw.

Security SummaryAI

CVE-2026-22502 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Mr. Cobbler WordPress theme developed by AncoraThemes. The flaw affects all versions of Mr. Cobbler up to and including 1.1.9, stemming from inadequate validation of filenames in PHP include/require statements (CWE-98). It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Remote attackers without privileges can exploit this vulnerability over the network, though it requires high attack complexity and no user interaction. Successful exploitation allows local file inclusion, potentially enabling attackers to read sensitive configuration files, execute arbitrary code if chained with other flaws, or disrupt service availability, with high impacts on confidentiality, integrity, and availability.

Patchstack has published an advisory detailing the local file inclusion vulnerability in the Mr. Cobbler WordPress theme version 1.1.9, available at https://patchstack.com/database/Wordpress/Theme/mr-cobbler/vulnerability/wordpress-mr-cobbler-theme-1-1-9-local-file-inclusion-vulnerability?_s_id=cve, which likely includes patch information or mitigation guidance for affected installations.

Details

CWE(s)
CWE-98

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

This LFI vulnerability in a public-facing WordPress theme enables unauthenticated remote exploitation of a web application (T1190) and facilitates arbitrary local file inclusion for data collection from the local system (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References