CVE-2026-22326
Deferred Deferred - Pending Action
Unauthenticated Local File Inclusion in Reprizo

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated Local File Inclusion in Reprizo <= 1.0.8 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-22326
EUVD
EUVD-2026-37649
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack reprizo to 1.0.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WordPress Reprizo Theme, versions 1.0.8 and below, contains a Local File Inclusion (LFI) vulnerability that can be exploited without authentication.

This flaw allows attackers to include local files from the target website, which can lead to exposure of sensitive information such as database credentials.

The vulnerability is considered high severity with a CVSS score of 8.1 and is actively exploitable.

Impact Analysis

Exploitation of this vulnerability can lead to exposure of sensitive data including database credentials.

Attackers may achieve complete database compromise, which can result in data theft, data manipulation, or further attacks on the website.

Since the vulnerability is actively exploited in mass campaigns, affected websites are at significant risk.

Mitigation Strategies

The WordPress Reprizo Theme versions 1.0.8 and below have a high-priority Local File Inclusion vulnerability that is actively exploitable.

Immediate mitigation steps include applying the mitigation rule issued by Patchstack to block attacks until an official patch is released.

It is also advised to update the theme if an update becomes available or seek assistance from your hosting provider or a developer to secure your site.

Detection Guidance

The vulnerability is a Local File Inclusion (LFI) in the WordPress Reprizo Theme versions 1.0.8 and below, which allows unauthenticated attackers to include local files on the target website.

Detection typically involves monitoring for suspicious HTTP requests attempting to exploit LFI, such as requests containing file path traversal patterns (e.g., ../) targeting theme files.

Since no official patch is available, and a mitigation rule is provided by Patchstack, it is recommended to check web server logs for unusual requests that include local file paths or attempts to access sensitive files.

Example commands to detect potential exploitation attempts include using grep on web server logs to find suspicious patterns:

  • grep -iE "(\.{2}/|etc/passwd|wp-config.php)" /var/log/apache2/access.log
  • grep -i "reprizo" /var/log/apache2/access.log | grep -E "(\.{2}/|include|file=)"

Additionally, network intrusion detection systems (NIDS) or web application firewalls (WAF) with rules targeting LFI patterns can help detect or block exploitation attempts.

Compliance Impact

The vulnerability allows unauthenticated attackers to include local files on the target website, potentially exposing sensitive data such as database credentials and leading to complete database compromise.

Exposure of sensitive data due to this vulnerability could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Therefore, organizations using the affected Reprizo theme versions may face increased risk of violating these standards if the vulnerability is exploited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22326. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart