CVE-2026-22326: WordPress Reprizo theme <= 1.0.8 - Local File Inclusion vulnerability
Unauthenticated Local File Inclusion in Reprizo <= 1.0.8 versions.
Metrics
- CVSS v3.1
- 8.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A local file inclusion vulnerability exists in the Reprizo WordPress theme (versions 1.0.8 and earlier) by AxiomThemes. The flaw is reachable over the network without any authentication, though exploitation requires overcoming environmental conditions that make the attack non-trivial. Successful exploitation gives an attacker the ability to read sensitive files from the server, write or modify content, and crash the affected service. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle WordPress themes.
AvailableHarborGuard scores this finding at CVSS 8.1 (HIGH) and layers in each customer organization's compliance policy weighting before routing the alert to the appropriate team inbox.
AvailableBecause no fix version has been published by AxiomThemes, HarborGuard re-checks the advisory each ingest cycle; the moment an upstream patch is released, a patched-image rebuild becomes available automatically. For customers with auto-remediation enabled, the rebuild triggers a regression test run and a PR opened against affected workloads as soon as a fix version exists.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable theme endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
- AuthenticationNot required
No account or credentials are needed; the vulnerability is exploitable by any unauthenticated remote requester.
- Victim interactionNot required
No user action is required; the attacker sends requests directly to the server without involving a logged-in user.
- Attack complexityDetail
Attack complexity is rated High, meaning reliable exploitation depends on specific environmental conditions such as server configuration or file-path enumeration rather than a straightforward, condition-free request.
Blast Radius
- An attacker can read arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials and secret keys.
- An attacker can modify or overwrite persisted files on the server, enabling content tampering or injection of malicious code into theme or plugin files.
- An attacker can cause the affected service to crash or become unresponsive by including files that trigger fatal errors or resource exhaustion.
How HarborGuard Handles This
Available on HarborGuard: this CVE is continuously monitored against all customer images that bundle the Reprizo theme at versions 1.0.8 or earlier. Because no upstream fix exists yet, HarborGuard re-evaluates the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment AxiomThemes publishes a remediated release. In the interim, compensating controls worth considering include network-policy rules that restrict public access to the WordPress installation, egress filtering to prevent the server from reading attacker-controlled remote paths, and disabling or replacing the Reprizo theme where compliance policy permits. For customers with auto-remediation enabled, the full rebuild, regression-test, and PR flow activates without manual intervention as soon as a fix version becomes available.
- AxiomThemes / Reprizo≤ 1.0.8
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H