CVE-2026-23801
Published: 05 March 2026
Summary
CVE-2026-23801 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws like this PHP LFI vulnerability in the WordPress theme to prevent exploitation.
Mandates validation of information inputs such as filenames in PHP include/require statements to block path traversal and local file inclusion attacks.
Enables vulnerability scanning to identify the LFI flaw in the theme and trigger remediation, addressing exploitation potential.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The LFI vulnerability in the public-facing WordPress theme directly enables T1190 (Exploit Public-Facing Application) for remote unauthenticated exploitation and facilitates T1005 (Data from Local System) by allowing inclusion and potential execution of arbitrary local files, leading to sensitive data access.
NVD Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes The Issue theissue allows PHP Local File Inclusion.This issue affects The Issue: from n/a through <= 1.6.11.
Deeper analysisAI
CVE-2026-23801 is an Improper Control of Filename for Include/Require Statement vulnerability, classified as PHP Local File Inclusion (CWE-98), in the WordPress theme "The Issue" developed by fuelthemes. This issue affects all versions of the theme from n/a through 1.6.11. Published on 2026-03-05, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Unauthenticated remote attackers with network access can exploit this vulnerability, though it requires high attack complexity and no user interaction. Exploitation enables local file inclusion, resulting in high confidentiality, integrity, and availability impacts as reflected in the CVSS metrics.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Theme/theissue/vulnerability/wordpress-the-issue-theme-1-6-11-local-file-inclusion-vulnerability?_s_id=cve) documents the vulnerability specifically in WordPress theme "The Issue" version 1.6.11, recommending mitigation through updating to a version beyond 1.6.11 where available.
Details
- CWE(s)