CVE-2026-22512
Published: March 25, 2026
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Roisin roisin allows PHP Local File Inclusion.This issue affects Roisin: from n/a through <= 1.2.1.
Security Summary
CVE-2026-22512 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, known as PHP Remote File Inclusion but enabling PHP Local File Inclusion (CWE-98), in the Elated-Themes Roisin WordPress theme. This issue affects Roisin versions from n/a through 1.2.1. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact despite elevated complexity.
Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction, though it requires high attack complexity. Exploitation allows inclusion of local PHP files, leading to high impacts on confidentiality, integrity, and availability, such as unauthorized access to sensitive data or potential code execution on the server.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/roisin/vulnerability/wordpress-roisin-theme-1-2-1-local-file-inclusion-vulnerability?_s_id=cve) documents this Local File Inclusion vulnerability in the Roisin WordPress theme version 1.2.1 and provides associated mitigation guidance.
Details
- CWE(s)