CVE-2026-22375 identifies a Local File Inclusion (LFI) vulnerability in the AncoraThemes Impacto Patronus WordPress theme, specifically caused by improper control over the filename parameter used in PHP include or require statements. This vulnerability allows an attacker to manipulate the filename parameter to include arbitrary files from the server, potentially leading to remote code execution or disclosure of sensitive information. The flaw exists in versions up to and including 1.2.3 of the Impacto Patronus theme. The vulnerability arises because the application fails to properly sanitize or validate user-supplied input before passing it to PHP's include or require functions, which are used to incorporate files during runtime. Exploiting this vulnerability typically involves sending crafted HTTP requests that specify malicious file paths, enabling attackers to read sensitive files such as configuration files, password files, or even execute malicious scripts if writable files are included. Although no public exploits have been reported yet, the vulnerability is critical due to the potential impact on confidentiality, integrity, and availability of affected systems. The lack of a CVSS score necessitates an expert severity assessment, which rates this vulnerability as high severity. This is due to the ease of exploitation without authentication or user interaction, the broad impact on any site using the affected theme, and the potential for severe consequences including full system compromise. The vulnerability was publicly disclosed in February 2026, with no official patches currently available, emphasizing the need for immediate mitigation.

The impact of CVE-2026-22375 on organizations worldwide can be significant, especially for those using the AncoraThemes Impacto Patronus WordPress theme. Successful exploitation can lead to unauthorized disclosure of sensitive information, such as configuration files containing database credentials or API keys, which can further facilitate deeper network compromise. Additionally, attackers may execute arbitrary PHP code by including malicious files, potentially gaining full control over the web server and pivoting to other internal systems. This can result in data breaches, defacement of websites, service disruption, and reputational damage. Since WordPress powers a large portion of websites globally, and AncoraThemes is a known theme provider, the scope of affected systems could be substantial. The vulnerability does not require authentication or user interaction, increasing the risk of automated exploitation attempts. Organizations with public-facing WordPress sites using this theme are at high risk, and failure to address this vulnerability could lead to significant operational and financial consequences.

To mitigate CVE-2026-22375, organizations should take the following specific actions: 1) Immediately audit all WordPress sites for the use of the AncoraThemes Impacto Patronus theme, particularly versions up to 1.2.3. 2) If an official patch or updated version is released by AncoraThemes, apply it promptly. 3) In the absence of a patch, implement web application firewall (WAF) rules to block requests containing suspicious file inclusion patterns or attempts to manipulate include parameters. 4) Harden PHP configurations by disabling dangerous functions such as allow_url_include and restricting include_path to trusted directories only. 5) Employ strict input validation and sanitization on any user-controllable parameters related to file inclusion. 6) Monitor web server logs for unusual requests targeting include or require parameters and investigate anomalies. 7) Consider temporarily disabling or replacing the vulnerable theme with a secure alternative until a fix is available. 8) Conduct regular security assessments and penetration testing focused on file inclusion vulnerabilities. These targeted measures go beyond generic advice by focusing on the specific nature of this vulnerability and the affected product.