CVE-2026-57801
Select-Themes · SetSail
The SetSail WordPress theme contains a Local File Inclusion (LFI) vulnerability due to improper handling of filename inputs in PHP include/require statements.
Executive summary
A high-severity Local File Inclusion vulnerability in the Select-Themes SetSail WordPress theme allows authenticated attackers to potentially access sensitive server files.
Vulnerability
This vulnerability involves improper control of filenames used in PHP include statements, which can be exploited by an authenticated attacker with low privileges to perform Local File Inclusion (LFI) attacks.
Business impact
Successful exploitation of this vulnerability could lead to the exposure of sensitive configuration files, source code, or internal data, potentially facilitating further system compromise. With a CVSS score of 7.5, the risk is significant as it allows attackers to bypass intended access controls and read arbitrary files on the web server.
Remediation
Immediate Action: As no patched version is currently available, administrators should immediately deactivate or uninstall the SetSail theme until a security update is provided by the vendor.
Proactive Monitoring: Review web server access logs for unusual request patterns, particularly those containing directory traversal sequences (e.g., "../") or attempts to access non-web-accessible PHP files.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block directory traversal attempts and suspicious file inclusion requests.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the high CVSS score and the current lack of a vendor-provided patch, this vulnerability poses a tangible risk to the integrity and confidentiality of the host server. Security teams must prioritize deactivating the affected theme and implementing strict WAF filtering to prevent unauthorized file access.