Cyber Posture

CVE-2026-22512

High
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: not affectedAppOther: affectedOth

Published: 25 March 2026

Published
25 March 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 37.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22512 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses improper filename control in PHP include/require by validating user-supplied inputs to block malicious local file inclusion paths.

SI-9 Information Input Restrictions good match
prevent

Restricts information inputs such as filenames or paths to organization-defined safe values, preventing exploitation of the LFI vulnerability in the Roisin theme.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and patching of flaws like this PHP LFI vulnerability in vulnerable WordPress theme versions up to 1.2.1.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

This is a Local File Inclusion vulnerability in a public-facing WordPress theme, allowing unauthenticated remote exploitation over the network for file inclusion, data disclosure, or code execution, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Roisin roisin allows PHP Local File Inclusion.This issue affects Roisin: from n/a through <= 1.2.1.

Deeper analysisAI

CVE-2026-22512 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Roisin WordPress theme by Elated-Themes. It affects all versions of Roisin from n/a through 1.2.1.

The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with high attack complexity, no privileges required, and no user interaction. Remote unauthenticated attackers can leverage it to achieve high impacts on confidentiality, integrity, and availability through local file inclusion.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/roisin/vulnerability/wordpress-roisin-theme-1-2-1-local-file-inclusion-vulnerability?_s_id=cve, which documents the issue in the WordPress Roisin theme version 1.2.1.

Details

CWE(s)
CWE-98
OWASP Top 10 Web 2025
A05:2025

CVEs Like This One

CVE-2024-53800Shared CWE-98
CVE-2025-67925Shared CWE-98
CVE-2026-28032Shared CWE-98
CVE-2025-69397Shared CWE-98
CVE-2025-49889Shared CWE-98
CVE-2026-24635Shared CWE-98
CVE-2025-67941Shared CWE-98
CVE-2025-58943Shared CWE-98
CVE-2025-49894Shared CWE-98
CVE-2026-22395Shared CWE-98

EU & UK References

References