How is CVE-2026-22331 exploited?

Network reachability (required): The attacker must reach the WordPress installation over the network; no prior foothold on the host is needed. Authentication (not-required): No account or session token is required; the vulnerable code path is accessible to anonymous HTTP requests. Victim interaction (not-required): Exploitation is fully attacker-driven and requires no action from any user or administrator of the target site. Attack complexity (info): Exploitation is rated High complexity, meaning the attacker must account for specific environmental or configuration conditions, such as server file layout or PHP include-path handling, before the inclusion can be triggered reliably.

What is the impact of CVE-2026-22331?

A successful attacker can read arbitrary files on the server, including PHP configuration files, environment files, and other secrets stored on disk. The attacker can tamper with application data or inject malicious content by leveraging writable file paths surfaced through the inclusion mechanism. Depending on server configuration, the attacker can trigger conditions that crash or destabilize the WordPress process, causing service disruption. If a file containing executable PHP code is included, the vulnerability can escalate to remote code execution on the host.

Back to search

HIGHCVE-2026-22331Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-22331: WordPress AutoParts theme <= 1.5.8 - Local File Inclusion vulnerability

Q: What is CVE-2026-22331?

This is a local file inclusion vulnerability in the ThemeREX AutoParts WordPress theme, affecting all versions up to and including 1.5.8. The vulnerability is reachable over the network without any authentication, though exploitation requires the attacker to navigate specific environmental conditions tied to how file paths are resolved. Successful exploitation gives an attacker the ability to read sensitive files on the server, tamper with application data, and crash or destabilize the service. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-22331 patched?

No fix version has been published by ThemeREX for AutoParts as of the CVE publication date, so no patched-image rebuild is currently available. HarborGuard re-checks the advisory on every ingest cycle and will make a patched rebuild available automatically the moment an upstream fix is released, at which point auto-remediation customers receive a rebuild, a regression-test run, and a PR opened against affected workloads.

Unauthenticated Local File Inclusion in AutoParts <= 1.5.8 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a local file inclusion vulnerability in the ThemeREX AutoParts WordPress theme, affecting all versions up to and including 1.5.8. The vulnerability is reachable over the network without any authentication, though exploitation requires the attacker to navigate specific environmental conditions tied to how file paths are resolved. Successful exploitation gives an attacker the ability to read sensitive files on the server, tamper with application data, and crash or destabilize the service. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-22331 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including the Patchstack advisory feed within minutes of publication and matched against customer images, including custom-built images that bundle the AutoParts theme. No manual configuration is needed for matching to occur.

Available

Triage

HarborGuard scores this CVE at 8.1 HIGH using the CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and ownership. Triage routing is available to direct findings to the appropriate team inbox within each customer organization based on configured policy rules.

Available

Patch

No fix version has been published by ThemeREX for AutoParts as of the CVE publication date, so no patched-image rebuild is currently available. HarborGuard re-checks the advisory on every ingest cycle and will make a patched rebuild available automatically the moment an upstream fix is released, at which point auto-remediation customers receive a rebuild, a regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress installation over the network; no prior foothold on the host is needed.
AuthenticationNot required
No account or session token is required; the vulnerable code path is accessible to anonymous HTTP requests.
Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user or administrator of the target site.
Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker must account for specific environmental or configuration conditions, such as server file layout or PHP include-path handling, before the inclusion can be triggered reliably.

Blast Radius

A successful attacker can read arbitrary files on the server, including PHP configuration files, environment files, and other secrets stored on disk.
The attacker can tamper with application data or inject malicious content by leveraging writable file paths surfaced through the inclusion mechanism.
Depending on server configuration, the attacker can trigger conditions that crash or destabilize the WordPress process, causing service disruption.
If a file containing executable PHP code is included, the vulnerability can escalate to remote code execution on the host.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for AutoParts version 1.5.8 or below, the platform monitors the Patchstack advisory on every ingest cycle and will automatically trigger a patched-image rebuild the moment ThemeREX publishes a fixed version. For environments with auto-remediation enabled, that rebuild is followed by a regression-test run and a PR opened against affected workloads without manual intervention. While no patch is available, compensating controls worth evaluating include network-policy rules that restrict inbound HTTP access to only trusted sources, egress filtering on the container or pod running WordPress to block unauthorized outbound file-fetch attempts, and disabling or removing the AutoParts theme entirely in environments where it is not actively required. Each of these controls can reduce the exploitable surface without waiting for an upstream release.

See how HarborGuard automates this

Affected packages

ThemeREX / AutoParts
≤ 1.5.8

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified