How is CVE-2026-22325 exploited?

Network reachability (required): The vulnerability is reachable over the network, meaning an attacker must be able to send HTTP requests to the exposed WordPress installation. Authentication (not-required): No account or credentials of any kind are needed; the vulnerable code path is accessible to unauthenticated requests. Victim interaction (not-required): Exploitation is fully server-side and does not require any action from an administrator or other user. Attack complexity (info): Attack complexity is rated High, meaning exploitation is not straightforward and may depend on specific server configurations, enabled PHP wrappers, or other environmental factors that the attacker must account for.

What is the impact of CVE-2026-22325?

A successful attacker reads arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials and secret keys. An attacker who escalates the LFI to code execution (for example via PHP session file poisoning or log injection) gains the ability to write or modify files on the server. Full availability impact is possible, meaning an attacker can disrupt or crash the affected WordPress service.

Back to search

HIGHCVE-2026-22325Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-22325: WordPress Promo theme <= 1.3.0 - Local File Inclusion vulnerability

Q: What is CVE-2026-22325?

A local file inclusion vulnerability affects the Promo WordPress theme by AxiomThemes, versions 1.3.0 and earlier. The vulnerability is reachable over the network and requires no authentication, though exploitation involves elevated attack complexity due to environmental conditions. Successful exploitation gives an attacker full read access to files on the server, the ability to tamper with data, and can result in complete service disruption or remote code execution in common LFI escalation scenarios. No fix version has been published; HarborGuard is tracking the advisory for patch availability.

Q: Is CVE-2026-22325 patched?

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released by AxiomThemes or Patchstack. In the meantime, customers can review compensating control options such as network-policy isolation for affected workloads directly within the HarborGuard console.

Unauthenticated Local File Inclusion in Promo <= 1.3.0 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A local file inclusion vulnerability affects the Promo WordPress theme by AxiomThemes, versions 1.3.0 and earlier. The vulnerability is reachable over the network and requires no authentication, though exploitation involves elevated attack complexity due to environmental conditions. Successful exploitation gives an attacker full read access to files on the server, the ability to tamper with data, and can result in complete service disruption or remote code execution in common LFI escalation scenarios. No fix version has been published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-22325 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, covering custom-built images that bundle the Promo theme alongside WordPress. Any image found to contain the affected theme at version 1.3.0 or earlier is flagged automatically as part of normal pipeline scanning.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.1 (HIGH) and weighting it against each customer organization's configured compliance policy to determine priority. Triage routing is available to direct the alert to the appropriate team inbox within each customer environment based on policy and ownership rules.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released by AxiomThemes or Patchstack. In the meantime, customers can review compensating control options such as network-policy isolation for affected workloads directly within the HarborGuard console.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerability is reachable over the network, meaning an attacker must be able to send HTTP requests to the exposed WordPress installation.
AuthenticationNot required
No account or credentials of any kind are needed; the vulnerable code path is accessible to unauthenticated requests.
Victim interactionNot required
Exploitation is fully server-side and does not require any action from an administrator or other user.
Attack complexityDetail
Attack complexity is rated High, meaning exploitation is not straightforward and may depend on specific server configurations, enabled PHP wrappers, or other environmental factors that the attacker must account for.

Blast Radius

A successful attacker reads arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials and secret keys.
An attacker who escalates the LFI to code execution (for example via PHP session file poisoning or log injection) gains the ability to write or modify files on the server.
Full availability impact is possible, meaning an attacker can disrupt or crash the affected WordPress service.

How HarborGuard Handles This

Available on HarborGuard: detection of this vulnerability is active across scanning pipelines for any image containing the Promo theme at version 1.3.0 or earlier. Because no upstream patch exists at this time, HarborGuard monitors the Patchstack advisory on every ingest cycle and will surface a patched-image rebuild automatically once a fix version is published. While waiting for an upstream fix, customers can apply compensating controls such as restricting external HTTP access to affected WordPress deployments via Kubernetes network policy, enabling egress filtering to limit what server-side file reads can reach, and auditing container image contents for unnecessary inclusion of the theme in non-production images. For customers with auto-remediation enabled, a rebuild and regression run will be triggered and a PR opened against affected workloads as soon as a fix version becomes available from the upstream maintainer.

See how HarborGuard automates this

Affected packages

AxiomThemes / Promo
≤ 1.3.0

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified