CVE-2026-22356 identifies a Local File Inclusion (LFI) vulnerability in Automattic's Jetpack CRM plugin for WordPress, specifically in versions up to 6.7.0. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements. This flaw allows an attacker to manipulate the input that determines which file is included by the PHP script, enabling the inclusion of arbitrary local files from the server. Such an attack can lead to disclosure of sensitive files (e.g., configuration files, password stores), execution of malicious code if the included files contain executable PHP code, or even full system compromise if combined with other vulnerabilities. The vulnerability is classified as a Local File Inclusion rather than Remote File Inclusion, indicating that the attacker can only include files present on the local filesystem, not remote URLs. No public exploits have been reported yet, and no official patch links are provided in the data, suggesting that remediation may still be pending or in progress. The vulnerability was reserved in early January 2026 and published in February 2026. The absence of a CVSS score requires a severity assessment based on the potential impact and exploitability. Given the widespread use of Jetpack CRM in WordPress environments, this vulnerability poses a significant risk to organizations relying on this CRM plugin for customer relationship management. Attackers exploiting this flaw could gain unauthorized access to sensitive data or execute arbitrary code, undermining system integrity and availability.

The impact of CVE-2026-22356 is substantial for organizations using Jetpack CRM, as successful exploitation can lead to unauthorized disclosure of sensitive information stored on the server, including configuration files, credentials, and customer data. Additionally, attackers may execute arbitrary PHP code by including crafted files, potentially leading to full system compromise, data manipulation, or service disruption. This can result in loss of confidentiality, integrity, and availability of critical business data and services. For organizations handling sensitive customer information or operating in regulated industries, the breach could lead to compliance violations, reputational damage, and financial losses. The vulnerability's exploitation does not currently require known public exploits, but the ease of triggering the LFI through manipulated input increases the risk. The scope includes all installations of Jetpack CRM up to version 6.7.0, which may be widespread given the popularity of WordPress and its plugins. The absence of authentication requirements is unclear, but if exploitation is possible without authentication, the risk is further elevated. Overall, the threat could enable attackers to pivot within the network, escalate privileges, or establish persistent access.

To mitigate CVE-2026-22356, organizations should immediately verify if they are running Jetpack CRM versions up to and including 6.7.0 and plan to upgrade to a patched version once available. In the absence of an official patch, administrators should implement strict input validation and sanitization on all parameters controlling file inclusion paths to prevent manipulation. Employing web application firewalls (WAFs) with rules targeting LFI attack patterns can help detect and block exploitation attempts. Restricting file system permissions to limit the PHP process's access to sensitive files reduces potential damage. Disabling unnecessary PHP functions such as include, require, or allow_url_include where feasible can also reduce risk. Monitoring logs for suspicious requests involving file inclusion parameters is critical for early detection. Additionally, isolating the CRM environment and enforcing network segmentation can limit lateral movement if exploitation occurs. Organizations should also review and harden their WordPress and plugin configurations, removing unused plugins and themes to reduce attack surface. Finally, maintain regular backups and incident response plans to recover quickly if compromise occurs.