CVE-2026-22368
Published: 20 February 2026
Summary
CVE-2026-22368 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-22368 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified under CWE-98 and described as enabling PHP Local File Inclusion, affecting the axiomthemes Redy theme for WordPress in versions from n/a through 1.0.2. Published on 2026-02-20, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
An unauthenticated remote attacker can exploit this vulnerability over the network, though it requires high attack complexity and no user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, allowing local file inclusion that could lead to sensitive data exposure, arbitrary code execution, or system compromise on affected WordPress installations running the vulnerable Redy theme.
The Patchstack advisory documents this Local File Inclusion vulnerability specifically in WordPress Redy theme version 1.0.2, providing details for security practitioners via their vulnerability database.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8387
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Redy redy allows PHP Local File Inclusion.This issue affects Redy: from n/a through <= 1.0.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a local file inclusion (LFI) flaw in a public-facing WordPress theme, exploitable remotely without authentication to include and execute local files, directly mapping to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly mitigates this CVE by patching the vulnerable Redy WordPress theme to fix the improper filename control in PHP include/require.
Information input validation ensures filenames provided to PHP include/require statements are properly checked to prevent local file inclusion exploitation.
Configuration settings enforce secure PHP configurations such as open_basedir restrictions to limit file access and block LFI attempts outside authorized paths.