CVE-2026-22476
Local File Inclusion Vulnerability in Etchy PHP Theme
Publication date: 2026-03-05
Last updated on: 2026-03-10
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elated_themes | etchy | to 1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22476 is a Local File Inclusion (LFI) vulnerability found in the WordPress Etchy Theme versions up to and including 1.0. This vulnerability allows unauthenticated attackers to exploit improper control of filenames in include/require statements within the PHP program. By doing so, attackers can include and display local files from the target website.
This flaw is classified under the OWASP Top 10 category A3: Injection, indicating it involves injection of unintended files into the application.
How can this vulnerability impact me? :
Exploiting this vulnerability could expose sensitive files on the affected website, such as files containing database credentials.
This exposure can potentially lead to a complete database takeover depending on the websiteβs configuration.
Since the vulnerability requires no authentication to exploit, it poses a high risk and urgency for mitigation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability allows unauthenticated attackers to include and display local files from the target website by exploiting improper control of filename in include/require statements.
Detection can involve monitoring web server logs for suspicious requests attempting to include local files via URL parameters or paths related to the Etchy theme.
Specific commands are not provided in the available resources, but typical detection methods include using tools like grep or log analyzers to search for suspicious patterns in access logs, such as attempts to include files via parameters.
What immediate steps should I take to mitigate this vulnerability?
Since no official patch is currently available for this vulnerability, immediate mitigation involves implementing the Patchstack mitigation rule that blocks attack attempts.
Users are strongly advised to apply this automated mitigation solution promptly to protect their WordPress sites running the Etchy theme versions up to 1.0.
This mitigation provides immediate protection until an official fix is released and can be safely applied.