CVE-2026-24635
BaseFortify
Publication date: 2026-01-23
Last updated on: 2026-01-26
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devsblink | edublink_core | From 2.0.0 (inc) to 2.0.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to include and display local files that may contain sensitive information such as database credentials, potentially leading to a complete database takeover. This exposure of sensitive data could result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information. However, no explicit mention of compliance impact is provided in the resources. [1]
Can you explain this vulnerability to me?
CVE-2026-24635 is a Local File Inclusion (LFI) vulnerability in the WordPress EduBlink Core Plugin (versions up to 2.0.7). It allows an attacker with Contributor or Developer privileges to include and display local files from the target website. These files may contain sensitive information such as database credentials, potentially leading to a complete database takeover depending on the website's configuration. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to access and display sensitive local files on the server, which may include database credentials. This could lead to unauthorized access to the database and potentially a complete database takeover, compromising the confidentiality and integrity of your data. [1]
What immediate steps should I take to mitigate this vulnerability?
Since no official fix or patched version is currently available, immediate mitigation steps include restricting user privileges to prevent attackers from having Contributor or Developer access, monitoring for suspicious file inclusion attempts, and considering disabling or replacing the vulnerable EduBlink Core plugin until a patch is released. [1]