CVE-2026-22369
WordPress Ironfit theme <= 1.5 - Local File Inclusion vulnerability
In short
The WordPress Ironfit theme version 1.5 and earlier has a flaw that allows attackers to include and execute arbitrary local files on the server through improper file handling in PHP. This can lead to unauthorized access to sensitive data or execution of malicious code.
Technical detail
CWE-98 vulnerability in the Ironfit theme's PHP include/require mechanism allows unauthenticated local file inclusion (LFI) attacks. The vulnerability stems from insufficient validation of filename parameters, enabling attackers to traverse the server filesystem and execute arbitrary PHP files. Successful exploitation can result in information disclosure, arbitrary code execution, or complete server compromise.
Summary generated and translated by AI from the official description.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Ironfit ironfit allows PHP Local File Inclusion.This issue affects Ironfit: from n/a through <= 1.5.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
AncoraThemes · IronfitWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →