CVE-2026-22428 in Tooth Fairy Plugin
Summary
by MITRE • 03/05/2026
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tooth Fairy tooth-fairy allows PHP Local File Inclusion.This issue affects Tooth Fairy: from n/a through <= 1.16.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/11/2026
The CVE-2026-22428 vulnerability represents a critical PHP Remote File Inclusion flaw that exposes the AncoraThemes Tooth Fairy WordPress plugin to unauthorized remote code execution risks. This vulnerability stems from improper validation of filename parameters in include/require statements, creating an avenue for attackers to manipulate the inclusion process and potentially execute arbitrary code on the target system. The flaw specifically impacts versions of the Tooth Fairy plugin from the initial release through version 1.16, indicating a prolonged window of exposure that could have allowed attackers to exploit this weakness for extended periods.
The technical implementation of this vulnerability occurs when the plugin accepts user-supplied input directly into include or require statements without proper sanitization or validation. This allows malicious actors to supply crafted file paths that can reference local files or remote resources, effectively bypassing normal access controls and potentially enabling the execution of malicious code. The vulnerability operates at the core of PHP's file inclusion mechanisms where the include statement processes user-controllable parameters, creating a dangerous intersection between user input and system file operations. This flaw aligns with CWE-98, which specifically addresses Improper Control of Generation of Code ('Code Injection') through inadequate input validation of file paths.
From an operational perspective, this vulnerability presents significant risk to WordPress installations using the affected Tooth Fairy plugin. Attackers can leverage this weakness to execute arbitrary code on the target server, potentially leading to complete system compromise, data exfiltration, or the establishment of persistent backdoors. The impact extends beyond individual plugin compromise as the vulnerability can be exploited to gain unauthorized access to the entire WordPress environment, potentially affecting other plugins, themes, and core WordPress functionality. This type of vulnerability is particularly dangerous because it can be exploited without requiring authentication, making it a prime target for automated attacks and mass exploitation campaigns.
Security practitioners should consider this vulnerability in the context of broader attack frameworks such as the MITRE ATT&CK matrix, where it maps to techniques involving code injection and privilege escalation. The vulnerability's exploitation typically follows a pattern where attackers first identify the vulnerable parameter, then craft malicious payloads that can be passed through the include statement to execute arbitrary code. Mitigation strategies should include immediate patching of the affected plugin to version 1.17 or later, which addresses the improper input validation. Additionally, implementing proper input validation, using allowlists for file inclusion parameters, and restricting PHP's allow_url_include directive can provide layered defense against similar vulnerabilities. Organizations should also consider implementing web application firewalls to detect and block suspicious inclusion patterns and conduct regular security assessments to identify other potential injection vulnerabilities within their WordPress installations.