CVE-2026-22446
Published: 05 March 2026
Summary
CVE-2026-22446 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-22446 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion (LFI), in the Prowess WordPress theme developed by Select-Themes. This issue affects Prowess versions from n/a through 1.8.1. Published on 2026-03-05, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-98.
Unauthenticated remote attackers with network access can exploit the vulnerability without requiring user interaction, though it demands high attack complexity. Exploitation grants high-impact access to confidentiality, integrity, and availability, allowing attackers to include and potentially execute arbitrary local files on the server.
The Patchstack advisory documents this local file inclusion vulnerability in the WordPress Prowess theme up to version 1.8.1 and provides details on mitigation, which centers on updating to a patched version of the theme.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9570
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Prowess prowess allows PHP Local File Inclusion.This issue affects Prowess: from n/a through <= 1.8.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of a public-facing WordPress theme via improper filename control in PHP include (T1190: Exploit Public-Facing Application), enabling inclusion and execution of local files for data collection from the local system (T1005: Data from Local System).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of software flaws such as the PHP LFI vulnerability in Prowess theme versions through 1.8.1 via patches or updates.
Mandates validation of user-controlled inputs to PHP include/require statements, directly preventing arbitrary local file inclusion by rejecting invalid filenames.
Requires ongoing vulnerability scanning and monitoring to identify flaws like CVE-2026-22446 in installed WordPress themes, enabling proactive remediation.