CVE-2026-22385
Published: 05 March 2026
Summary
CVE-2026-22385 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-22385 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Wolmart WordPress theme developed by don-themes. This issue affects Wolmart versions from n/a through 1.9.6 and is associated with CWE-98. The vulnerability was published on 2026-03-05 with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated remote attackers with network access can exploit this vulnerability, though it requires high attack complexity and no user interaction. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, allowing attackers to perform local file inclusion on the targeted WordPress site.
The Patchstack advisory provides details on this Local File Inclusion vulnerability in the Wolmart theme version 1.9.6; practitioners should consult https://patchstack.com/database/Wordpress/Theme/wolmart/vulnerability/wordpress-wolmart-theme-1-9-6-local-file-inclusion-vulnerability?_s_id=cve for mitigation and patch information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9528
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Wolmart wolmart allows PHP Local File Inclusion.This issue affects Wolmart: from n/a through <= 1.9.6.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote file inclusion flaw in a public-facing WordPress theme, directly enabling exploitation of public-facing applications via unauthenticated remote access for LFI/RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2026-22385 by requiring timely identification, prioritization, and remediation of the LFI vulnerability in vulnerable Wolmart theme versions through patching or upgrades.
Addresses the core issue of improper filename control in PHP include/require statements by enforcing strict validation of inputs to prevent local file inclusion exploitation.
Enables proactive discovery of the CVE-2026-22385 LFI vulnerability in Wolmart themes via automated vulnerability scanning, supporting rapid remediation.