CVE-2026-22403
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Innovio innovio allows PHP Local File Inclusion.This issue affects Innovio: from n/a through <= 1.7.
Analysis
Mikado-Themes Innovio through version 1.7 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filenames used in PHP include/require statements, enabling attackers to access sensitive data without authentication. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all WordPress instances using Innovio theme and disable the plugin immediately on production systems. Within 7 days: Contact Mikado Themes for patch availability timeline and evaluate alternative themes for migration planning. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today