CVE-2026-22373 is a Local File Inclusion (LFI) vulnerability found in the AncoraThemes Fooddy WordPress theme versions up to 1.3.10. The vulnerability stems from improper control over the filename parameter used in PHP include or require statements. Specifically, the theme fails to adequately validate or sanitize user input that determines which files are included during execution. This flaw allows an attacker to manipulate the input to include arbitrary local files from the server's filesystem. Exploiting this vulnerability can lead to disclosure of sensitive files such as configuration files, password files, or other critical data stored on the server. In some cases, it may also enable remote code execution if the attacker can upload malicious files or leverage other chained vulnerabilities. The vulnerability does not currently have a CVSS score and no known exploits have been reported in the wild. However, given the nature of LFI vulnerabilities and their common exploitation in web applications, this issue represents a serious security risk. The affected product, Fooddy, is a WordPress theme developed by AncoraThemes, used primarily for food-related websites. The vulnerability was reserved in early January 2026 and published in February 2026. No official patches or updates have been linked yet, so users must monitor vendor advisories closely. The vulnerability is categorized under improper input validation in PHP file inclusion mechanisms, a common and critical web application security issue.

The impact of CVE-2026-22373 can be significant for organizations using the vulnerable Fooddy theme. Successful exploitation can lead to unauthorized disclosure of sensitive information, including server configuration files, database credentials, and other critical data stored locally. This can facilitate further attacks such as privilege escalation, remote code execution, or lateral movement within the network. For websites, this may result in defacement, data breaches, or complete server compromise. Small and medium-sized businesses relying on WordPress themes like Fooddy may face reputational damage, financial losses, and regulatory penalties if customer data is exposed. The vulnerability also increases the attack surface for automated scanning and exploitation by threat actors. Since the flaw is in a widely used CMS theme, the scope of affected systems could be broad, especially if the theme is popular in certain regions or industries. The lack of known exploits currently reduces immediate risk but does not eliminate the potential for future attacks. Organizations with public-facing websites running this theme are particularly at risk, as attackers can remotely attempt to exploit the vulnerability without authentication or user interaction.

To mitigate CVE-2026-22373, organizations should first check if they are using the AncoraThemes Fooddy theme version 1.3.10 or earlier and upgrade to a patched version once available. In the absence of an official patch, users should implement the following specific mitigations: 1) Disable or restrict PHP file inclusion functions in the web server or PHP configuration where possible, using directives like open_basedir to limit accessible directories. 2) Employ web application firewalls (WAFs) with rules designed to detect and block suspicious file inclusion attempts targeting the vulnerable parameters. 3) Conduct thorough input validation and sanitization on any user-supplied data used in file inclusion, ensuring only expected and safe filenames are accepted. 4) Restrict file permissions on the server to prevent unauthorized reading of sensitive files that could be included. 5) Monitor web server logs for unusual requests attempting to exploit file inclusion patterns. 6) Consider temporarily disabling the vulnerable theme or switching to a different theme until a secure update is released. 7) Educate developers and administrators about secure coding practices related to file inclusion to prevent similar vulnerabilities in custom code. These targeted actions go beyond generic advice and address the specific mechanics of this vulnerability.