CVE-2026-57801

Select-Themes · SetSail

The SetSail WordPress theme contains a Local File Inclusion (LFI) vulnerability due to improper handling of filename inputs in PHP include/require statements.

Executive summary

A high-severity Local File Inclusion vulnerability in the Select-Themes SetSail WordPress theme allows authenticated attackers to potentially access sensitive server files.

Vulnerability

This vulnerability involves improper control of filenames used in PHP include statements, which can be exploited by an authenticated attacker with low privileges to perform Local File Inclusion (LFI) attacks.

Business impact

Successful exploitation of this vulnerability could lead to the exposure of sensitive configuration files, source code, or internal data, potentially facilitating further system compromise. With a CVSS score of 7.5, the risk is significant as it allows attackers to bypass intended access controls and read arbitrary files on the web server.

Remediation

Immediate Action: As no patched version is currently available, administrators should immediately deactivate or uninstall the SetSail theme until a security update is provided by the vendor.

Proactive Monitoring: Review web server access logs for unusual request patterns, particularly those containing directory traversal sequences (e.g., "../") or attempts to access non-web-accessible PHP files.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block directory traversal attempts and suspicious file inclusion requests.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the high CVSS score and the current lack of a vendor-provided patch, this vulnerability poses a tangible risk to the integrity and confidentiality of the host server. Security teams must prioritize deactivating the affected theme and implementing strict WAF filtering to prevent unauthorized file access.