CVE-2026-22356
Local File Inclusion in Jetpack CRM β€ 6.7.0 Enables Code Execution
Publication date: 2026-02-20
Last updated on: 2026-02-24
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| automattic | jetpack_crm | to 6.7.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22356 is a Local File Inclusion (LFI) vulnerability in the WordPress Jetpack CRM Plugin versions up to and including 6.7.0.
This vulnerability allows an attacker to include and display local files from the target website, potentially exposing sensitive information such as database credentials.
Exploitation requires user interaction, such as clicking a malicious link or visiting a crafted page, but does not require authentication.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'The vulnerability can lead to exposure of sensitive information from the target website, including database credentials.'}, {'type': 'paragraph', 'content': "Depending on the site's configuration, this exposure could result in a complete database takeover."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'CVE-2026-22356 is a Local File Inclusion (LFI) vulnerability in the WordPress Jetpack CRM Plugin up to version 6.7.0. Detection typically involves monitoring for attempts to exploit the vulnerability by including local files via crafted URLs or form submissions.'}, {'type': 'paragraph', 'content': 'While specific commands are not provided in the resources, common detection methods include inspecting web server logs for suspicious requests containing file inclusion patterns, such as URLs with parameters attempting to include local files (e.g., using ../ sequences or file paths).'}, {'type': 'paragraph', 'content': 'You can use commands like the following to search for suspicious requests in your web server logs:'}, {'type': 'list_item', 'content': "grep -i 'include' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': "grep -E '\\.\\./|\\binclude\\b' /var/log/nginx/access.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual HTTP requests that contain file paths or attempts to access sensitive files can help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation for CVE-2026-22356 is to update the Jetpack CRM Plugin to version 6.7.1 or later, where the vulnerability has been patched.
Until the update can be applied, Patchstack provides an immediate mitigation rule that can be enabled to block attacks targeting this vulnerability.
Patchstack users can also enable auto-updates specifically for vulnerable plugins to ensure continuous protection.