CVE-2026-22325
Deferred Deferred - Pending Action
Unauthenticated Local File Inclusion in Promo

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated Local File Inclusion in Promo <= 1.3.0 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-22325
EUVD
EUVD-2026-37648
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack promo to 1.3.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22325 is a Local File Inclusion (LFI) vulnerability found in the WordPress Promo Theme versions 1.3.0 and below. This flaw allows unauthenticated attackers to include local files from the target server. By exploiting this vulnerability, attackers can potentially access sensitive files such as database credentials.

Impact Analysis

This vulnerability can have severe impacts including exposure of sensitive data like database credentials, which can lead to full database compromise. Because it is unauthenticated and has a high CVSS score of 8.1, it poses a high risk and can be exploited in widespread attacks targeting many websites using the vulnerable theme.

Mitigation Strategies

Immediate action is advised to mitigate the Local File Inclusion vulnerability in WordPress Promo Theme versions 1.3.0 and below.

  • Update the Promo theme to a version above 1.3.0 if available.
  • If no official patch is available, apply the mitigation rule released by Patchstack to block attacks.
  • Seek assistance from your hosting provider or a developer to implement protective measures.
Compliance Impact

This vulnerability allows unauthenticated attackers to include local files on the target server, potentially exposing sensitive data such as database credentials and leading to full database compromise.

Exposure of sensitive data due to this vulnerability could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Therefore, organizations using affected versions of the Promo WordPress theme may face increased risk of violating these standards if the vulnerability is exploited.

Detection Guidance

The vulnerability affects WordPress Promo Theme versions 1.3.0 and below, allowing unauthenticated Local File Inclusion (LFI). Detection typically involves monitoring for suspicious HTTP requests attempting to include local files via the theme.

Since no official patch is available, detection can be aided by applying mitigation rules such as those provided by Patchstack to block attack attempts.

Specific commands are not provided in the available resources, but common detection methods include inspecting web server logs for unusual requests containing file inclusion patterns (e.g., requests with parameters attempting to include files like ../../etc/passwd).

You can use commands like the following to search web server logs for potential exploitation attempts:

  • grep -i 'include' /var/log/apache2/access.log
  • grep -E '\.\./|etc/passwd|\?file=' /var/log/apache2/access.log

Additionally, network intrusion detection systems (NIDS) or web application firewalls (WAF) with updated rules can help detect and block exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22325. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart