How is CVE-2026-22330 exploited?

Network reachability (required): The vulnerable theme endpoint is exposed over the network, so the attacker must be able to reach the WordPress installation via HTTP or HTTPS. Authentication (not-required): No account or session token is needed; the vulnerability is exploitable by any unauthenticated network request. Victim interaction (not-required): No user action is needed on the target server; the attacker sends a crafted request directly without any social-engineering step. Attack complexity (info): Attack complexity is rated High, meaning exploitation may depend on specific server configuration or require chaining with another condition such as a writable upload directory for code execution.

What is the impact of CVE-2026-22330?

An attacker can read arbitrary files from the server filesystem, including WordPress configuration files such as wp-config.php that contain database credentials. Credential exposure from those files enables database access, allowing an attacker to read, modify, or delete stored posts, user records, and session tokens. In environments where file upload is permitted, LFI can be chained to execute attacker-supplied code, resulting in full server compromise. All three impact dimensions (confidentiality, integrity, and availability) are rated High by the CVSS score, meaning the attacker gains broad control over the affected host.

Back to search

HIGHCVE-2026-22330Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-22330: WordPress Right Way theme <= 4.0 - Local File Inclusion vulnerability

Q: What is CVE-2026-22330?

Local File Inclusion (LFI) is a vulnerability that lets an attacker force a web application to load arbitrary files from the server's filesystem. This CVE affects the Right Way WordPress theme by Themeum, versions 4.0 and below, and is reachable over the network with no authentication required. Successful exploitation gives an attacker the ability to read sensitive files on the server, and in common WordPress environments where file upload is possible, can be chained into full remote code execution, data tampering, or service disruption. No fix version has been published; HarborGuard tracks this advisory for patch availability.

Q: Is CVE-2026-22330 patched?

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Themeum ships a remediated release. In the meantime, compensating controls such as network-policy isolation and web application firewall rules targeting path traversal patterns can be applied to reduce exposure.

Unauthenticated Local File Inclusion in Right Way <= 4.0 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Local File Inclusion (LFI) is a vulnerability that lets an attacker force a web application to load arbitrary files from the server's filesystem. This CVE affects the Right Way WordPress theme by Themeum, versions 4.0 and below, and is reachable over the network with no authentication required. Successful exploitation gives an attacker the ability to read sensitive files on the server, and in common WordPress environments where file upload is possible, can be chained into full remote code execution, data tampering, or service disruption. No fix version has been published; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-22330 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images, including custom-built images that bundle the Right Way theme. Any image carrying the affected Themeum Right Way theme at version 4.0 or below is flagged automatically.

Available

Triage

HarborGuard surfaces this CVE with its CVSS 3.1 score of 8.1 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within each customer organization based on configured ownership and policy rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Themeum ships a remediated release. In the meantime, compensating controls such as network-policy isolation and web application firewall rules targeting path traversal patterns can be applied to reduce exposure.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable theme endpoint is exposed over the network, so the attacker must be able to reach the WordPress installation via HTTP or HTTPS.
AuthenticationNot required
No account or session token is needed; the vulnerability is exploitable by any unauthenticated network request.
Victim interactionNot required
No user action is needed on the target server; the attacker sends a crafted request directly without any social-engineering step.
Attack complexityDetail
Attack complexity is rated High, meaning exploitation may depend on specific server configuration or require chaining with another condition such as a writable upload directory for code execution.

Blast Radius

An attacker can read arbitrary files from the server filesystem, including WordPress configuration files such as wp-config.php that contain database credentials.
Credential exposure from those files enables database access, allowing an attacker to read, modify, or delete stored posts, user records, and session tokens.
In environments where file upload is permitted, LFI can be chained to execute attacker-supplied code, resulting in full server compromise.
All three impact dimensions (confidentiality, integrity, and availability) are rated High by the CVSS score, meaning the attacker gains broad control over the affected host.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against any image that packages the Right Way WordPress theme at version 4.0 or below, including internally built images, with results surfaced in the findings dashboard weighted by your environment's compliance policy. Because no upstream fix exists yet, HarborGuard monitors the Patchstack and NVD advisory feeds on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression test run and a PR against affected workloads as soon as Themeum publishes a remediated version. While awaiting a fix, recommended compensating controls include applying a web application firewall rule to block path traversal sequences in request parameters, restricting outbound filesystem reads via server-level open_basedir configuration, and using Kubernetes network policies to limit which services can reach the WordPress host.

See how HarborGuard automates this

Affected packages

Themeum / Right Way
≤ 4.0

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified