CVE-2026-22502
PHP Local File Inclusion in AncoraThemes Mr. Cobbler
Publication date: 2026-03-25
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ancorathemes | mr_cobbler | to 1.1.9 (inc) |
| ancorathemes | mr_cobbler | From 1.0.0 (inc) to 1.1.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22502 is a Local File Inclusion (LFI) vulnerability found in the WordPress Mr.Cobbler Theme versions up to and including 1.1.9. It allows unauthenticated attackers to include and display local files from the target website by exploiting improper control of filenames in PHP include/require statements.
This vulnerability is classified under OWASP Top 10 A3: Injection and can be exploited without any privileges, making it highly dangerous.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to exposure of sensitive files on the affected website, including files containing database credentials.
This exposure can potentially result in a complete database takeover depending on the site's configuration.
Because the vulnerability requires no privileges to exploit and has a high CVSS score of 8.1, it poses a high risk and is likely to be targeted in mass-attack campaigns.
No official patch is currently available, so immediate mitigation or resolution is strongly advised to prevent exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability allows unauthenticated attackers to include and display local files from the target website, which can be detected by monitoring for suspicious HTTP requests attempting to exploit Local File Inclusion (LFI).
Detection can involve inspecting web server logs for unusual URL parameters that include file paths or attempts to access sensitive files.
Specific commands are not provided in the available resources, but typical approaches include using tools like grep to search web server logs for patterns such as "include", "require", or file path traversal sequences (e.g., "../").
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the mitigation rule issued by Patchstack to block attacks targeting this vulnerability until an official patch is released.
Users should update the affected Mr. Cobbler theme to a patched version once it becomes available.
If unable to apply mitigations independently, users are advised to seek assistance from their hosting providers or web developers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The Local File Inclusion (LFI) vulnerability in the Mr. Cobbler WordPress theme allows unauthenticated attackers to access sensitive files, including those containing database credentials. This exposure can lead to a complete database takeover depending on the site's configuration.
Such unauthorized access and potential data breaches can compromise the confidentiality and integrity of personal and sensitive data, which are critical requirements under common standards and regulations like GDPR and HIPAA.
Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to inadequate protection of sensitive information and failure to prevent unauthorized data access.