CVE-2026-22356 HIGH

CVE-2026-22356: WordPress Jetpack CRM plugin <= 6.7.0 - Local File Inclusion vulnerability

Vendor Automattic
Product Jetpack CRM
Weakness CWE-98 · PHP file inclusion
Published February 20, 2026
Last update April 28, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Automattic Jetpack CRM zero-bs-crm allows PHP Local File Inclusion.This issue affects Jetpack CRM: from n/a through <= 6.7.0.

Explanation of Vulnerability in Simple Terms

02Summary

Jetpack CRM versions up to 6.7.0 contain a vulnerability that allows an attacker to read sensitive data, modify site content, or disrupt service. The attack requires network access and user interaction—typically the victim must click a malicious link or visit a crafted page. Attack complexity is high, suggesting the exploit requires specific conditions or timing.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify site content, or disrupt the site's availability.

Potential impact on your site

04Site Impact

Confidential customer or business data in Jetpack CRM could be exposed, modified, or lost.

Conditions required to exploit

05Prerequisites

Network access and user interaction required (victim must click a link or visit a page).

Key dates

06Disclosure timeline

February 20, 2026 CVE published
April 28, 2026 Record updated