CVE-2026-22369
Published: 20 February 2026
Summary
CVE-2026-22369 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-22369 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion issue that enables PHP Local File Inclusion, affecting the Ironfit WordPress theme developed by AncoraThemes. The vulnerability impacts Ironfit versions from n/a through 1.5 and is associated with CWE-98. It was published on 2026-02-20 and carries a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated remote attackers can exploit this vulnerability over the network without requiring user interaction, though exploitation demands high attack complexity. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially allowing attackers to include and execute local PHP files on the server.
The Patchstack advisory provides details on this Local File Inclusion vulnerability in the WordPress Ironfit theme version 1.5, including mitigation guidance, available at https://patchstack.com/database/Wordpress/Theme/ironfit/vulnerability/wordpress-ironfit-theme-1-5-local-file-inclusion-vulnerability?_s_id=cve.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8251
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Ironfit ironfit allows PHP Local File Inclusion.This issue affects Ironfit: from n/a through <= 1.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated remote file inclusion flaw in a public-facing WordPress theme, directly enabling exploitation of a public-facing application for local file inclusion and potential arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires identification, reporting, and correction of the specific PHP Local File Inclusion flaw in Ironfit WordPress theme versions through 1.5.
Enforces validation and sanitization of user-supplied filenames in PHP include/require statements to block local file inclusion exploits.
Provides vulnerability scanning to detect CVE-2026-22369 in deployed components and mandates timely remediation.