CVE-2026-22449 is a Local File Inclusion (LFI) vulnerability found in the Select-Themes Don Peppe WordPress theme, specifically affecting versions up to 1.3. The vulnerability arises from improper validation and control of filenames used in PHP include or require statements. This flaw allows an attacker to manipulate the input parameters that determine which files are included by the PHP script, enabling them to include arbitrary files from the server. Such an attack can lead to disclosure of sensitive information, such as configuration files, source code, or credentials, and in some cases, it may facilitate remote code execution if the attacker can upload malicious files or leverage other vulnerabilities. The vulnerability does not currently have a CVSS score and no known public exploits have been reported. The issue was reserved in early 2026 and published in March 2026 by Patchstack. The lack of patches or mitigations at the time of publication increases the urgency for affected users to implement protective measures. The vulnerability primarily impacts websites using the Don Peppe theme, which is a product of Select-Themes, a provider of WordPress themes. Since WordPress powers a significant portion of the web, and themes are widely used, the potential attack surface is considerable. The vulnerability requires the attacker to control input that influences the file inclusion path, which may or may not require authentication depending on the theme’s design and deployment context. The absence of known exploits suggests that exploitation may require some technical skill or specific conditions, but the risk remains significant due to the nature of LFI vulnerabilities.

The impact of CVE-2026-22449 can be severe for organizations running vulnerable versions of the Don Peppe theme. Successful exploitation can lead to unauthorized disclosure of sensitive files, including configuration files containing database credentials or API keys, which can compromise the confidentiality of the system. Additionally, attackers may leverage LFI to execute arbitrary code if combined with other vulnerabilities or file upload capabilities, threatening system integrity and availability. This can result in website defacement, data theft, or the site being used as a launchpad for further attacks such as malware distribution or lateral movement within a network. For organizations relying on affected WordPress sites for business operations, this can lead to reputational damage, financial losses, and regulatory penalties if sensitive customer data is exposed. The widespread use of WordPress and the popularity of Select-Themes products increase the potential global impact, especially for small and medium-sized businesses that may lack dedicated security resources. The absence of known exploits currently limits immediate widespread attacks, but the vulnerability remains a significant risk until patched.

1. Monitor for official patches or updates from Select-Themes and apply them immediately once available to remediate the vulnerability. 2. In the absence of patches, implement strict input validation and sanitization on all parameters controlling file inclusion paths to prevent malicious manipulation. 3. Configure the web server and PHP environment to disable remote file inclusion and restrict file inclusion to trusted directories using open_basedir or similar PHP configuration directives. 4. Employ a Web Application Firewall (WAF) with rules designed to detect and block attempts to exploit LFI vulnerabilities, including suspicious file path traversal patterns. 5. Conduct regular security audits and code reviews of customizations made to the Don Peppe theme to identify and remediate insecure coding practices. 6. Limit the permissions of the web server user to the minimum necessary to reduce the impact of any successful exploitation. 7. Educate site administrators about the risks of using outdated themes and the importance of timely updates. 8. Consider temporarily disabling or replacing the vulnerable theme if immediate patching is not possible, to reduce exposure.