CVE-2026-22428

WordPress Tooth Fairy theme <= 1.16 - Local File Inclusion vulnerability

CVSS 8.1 HIGHEPSS 0.5%CWE-98

In short

The Tooth Fairy WordPress theme up to version 1.16 has a flaw that allows attackers to include and execute arbitrary files from the server. This could let an attacker access sensitive files or run malicious code on your website.

Technical detail

A PHP Local File Inclusion (LFI) vulnerability exists in the theme's improper handling of filename parameters in include/require statements. An unauthenticated attacker can manipulate input to traverse the filesystem and include arbitrary PHP or sensitive files, potentially leading to information disclosure or remote code execution depending on server configuration and available files.

Summary generated and translated by AI from the official description.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tooth Fairy tooth-fairy allows PHP Local File Inclusion.This issue affects Tooth Fairy: from n/a through <= 1.16.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

AncoraThemes · Tooth Fairy

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://patchstack.com/database/Wordpress/Theme/tooth-fairy/vulnerability/wordpress-tooth-fairy-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve