CVE-2026-22363
Published: 20 February 2026
Summary
CVE-2026-22363 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22363 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion (CWE-98), in the Rhodos WordPress theme developed by axiomthemes. This issue affects all versions of the Rhodos theme from n/a through 1.3.3 inclusive. Published on 2026-02-20, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited by unauthenticated attackers (PR:N) with network access (AV:N) and no user interaction (UI:N) required, though it demands high attack complexity (AC:H). Successful exploitation allows high-impact compromise of confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), potentially enabling attackers to read local files or escalate to further compromise depending on server configuration.
The primary advisory from Patchstack details this Local File Inclusion vulnerability in the WordPress Rhodos theme version 1.3.3 and is available at https://patchstack.com/database/Wordpress/Theme/rhodos/vulnerability/wordpress-rhodos-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8250
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rhodos rhodos allows PHP Local File Inclusion.This issue affects Rhodos: from n/a through <= 1.3.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
T1190 for exploiting the public-facing WordPress theme vulnerability; T1005 and T1083 for accessing and discovering sensitive local files via LFI.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the LFI vulnerability by requiring timely patching or removal of the vulnerable Rhodos WordPress theme versions through 1.3.3.
Prevents exploitation of improper filename control in PHP include/require by validating and sanitizing user-supplied inputs at the application layer.
Hardens the environment against LFI by enforcing secure PHP configuration settings such as open_basedir restrictions and disabling dangerous functions like allow_url_include.