Playa | Beach & Pool Club WordPress Theme <= 1.3.9 – Unauthenticated Local File Inclusion | CVE 2026-22437 | Theme Vulnerabilities

Description

The Playa | Beach & Pool Club WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.3.9. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included.

Affects Themes

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7699f6bd-b965-412d-80f5-a999f2299e12

Classification

Type

RFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Tran Nguyen Bao Khanh

Verified

No

WPVDB ID

59495e16-1a15-4e87-8035-f317b3fa0f4a

Timeline

Publicly Published

2026-02-25 (about 1 month ago)

Added

2026-03-05 (about 30 days ago)

Last Updated

2026-03-05 (about 30 days ago)

Other

Published

Title

Published

2025-05-21

Title

Winnex <= 1.3.2 - Unauthenticated Local File Inclusion

Published

2026-02-27

Title

Filmax <= 1.1.11 - Unauthenticated Local File Inclusion

Published

2025-10-15

Title

UDesign Core <= 4.14.0 - Authenticated (Contributor+) Local File Inclusion

Published

2025-06-25

Title

Samex - Clean, Minimal Shop WooCommerce WordPress Theme <= 2.6 - Unauthenticated Local File Inclusion

Published

2025-08-22

Title

Anubis <= 1.25 - Unauthenticated Local File Inclusion