CVE-2026-22431
WordPress Wabi-Sabi theme <= 1.2 - Local File Inclusion vulnerability
In short
The Wabi-Sabi WordPress theme version 1.2 and earlier has a flaw that allows attackers to include and execute arbitrary local files on the server, potentially exposing sensitive information or compromising the website.
Technical detail
PHP Local File Inclusion (LFI) vulnerability in Wabi-Sabi theme <= 1.2 due to improper input validation on file inclusion parameters. An unauthenticated attacker can manipulate include/require statements to access arbitrary local files on the server filesystem, leading to information disclosure or code execution depending on accessible file contents and permissions.
Summary generated and translated by AI from the official description.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Wabi-Sabi wabi-sabi allows PHP Local File Inclusion.This issue affects Wabi-Sabi: from n/a through <= 1.2.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
AncoraThemes · Wabi-SabiWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →