CVE-2026-22478 is a Local File Inclusion (LFI) vulnerability affecting the Elated-Themes FindAll plugin for PHP-based websites, specifically versions up to 1.4. The vulnerability stems from improper validation and control of filenames used in PHP include or require statements, which allows an attacker to manipulate the input to include arbitrary local files on the server. This can lead to disclosure of sensitive files such as configuration files, password files, or application source code. In some cases, if the attacker can include files containing executable PHP code or upload malicious files, this vulnerability could escalate to remote code execution. The vulnerability does not require authentication or user interaction, making it easier for attackers to exploit remotely. Although no known public exploits are currently reported, the vulnerability is publicly disclosed and unpatched, increasing the risk of future exploitation. The affected product is the FindAll plugin by Elated-Themes, commonly used in WordPress environments, which rely heavily on PHP. The lack of a CVSS score indicates that the vulnerability is newly published and awaiting further analysis or patching. The vulnerability is classified as a critical security flaw in web applications due to its potential to compromise server confidentiality and integrity.

The impact of CVE-2026-22478 on organizations worldwide can be significant. Successful exploitation can lead to unauthorized disclosure of sensitive information such as database credentials, configuration files, or user data, which can facilitate further attacks. In worst-case scenarios, attackers may achieve remote code execution, allowing full server compromise, data theft, or service disruption. This can damage organizational reputation, lead to regulatory penalties, and cause financial losses. Since the vulnerability affects a widely used PHP plugin, many websites and web applications are potentially exposed, especially those that have not updated or patched their plugins. The ease of exploitation without authentication increases the risk of automated scanning and mass exploitation attempts. Organizations relying on the FindAll plugin or similar Elated-Themes products should consider this a high-risk vulnerability requiring immediate attention.

To mitigate CVE-2026-22478, organizations should: 1) Immediately check for and apply any official patches or updates released by Elated-Themes for the FindAll plugin. 2) If patches are not yet available, temporarily disable or remove the vulnerable plugin to prevent exploitation. 3) Implement strict input validation and sanitization on all user-supplied data that may influence file inclusion paths, ensuring only expected and safe filenames are accepted. 4) Employ web application firewalls (WAFs) with rules designed to detect and block suspicious file inclusion attempts. 5) Restrict PHP include paths and disable allow_url_include and allow_url_fopen directives in PHP configurations to reduce the risk of remote file inclusion. 6) Conduct thorough security audits and penetration testing focused on file inclusion vulnerabilities. 7) Monitor web server logs for unusual requests that may indicate exploitation attempts. 8) Educate development teams on secure coding practices related to file handling in PHP. These steps will help reduce the attack surface and protect against exploitation until a permanent fix is applied.