CVE-2026-22516
Published: 25 March 2026
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Wizor's wizors-investments allows PHP Local File Inclusion.This issue affects Wizor's: from n/a through <= 2.12.
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the known PHP Local File Inclusion flaw in the wizors-investments WordPress theme, directly preventing exploitation of CVE-2026-22516.
Mandates validation of filenames used in PHP include/require statements to block improper file inclusion attacks as in this CVE.
Supports proactive discovery of PHP file inclusion vulnerabilities like CVE-2026-22516 in WordPress themes through ongoing monitoring and scanning.
Security SummaryAI
CVE-2026-22516 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion (CWE-98), in the Wizor's (wizors-investments) WordPress theme developed by AncoraThemes. The flaw allows PHP Local File Inclusion and affects all versions up to and including 2.12.
The vulnerability can be exploited by unauthenticated remote attackers (PR:N) over the network (AV:N) with high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation enables high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with an overall CVSS v3.1 base score of 8.1 (S:U), potentially allowing arbitrary file inclusion leading to code execution or data exposure.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/wizors-investments/vulnerability/wordpress-wizor-s-theme-2-12-local-file-inclusion-vulnerability?_s_id=cve.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a public-facing WordPress theme LFI (T1190) enabling remote unauthenticated reading of sensitive local files (T1005).