CVE-2026-27065
Received Received - Intake
PHP Local File Inclusion Vulnerability in BuilderPress

Publication date: 2026-03-19

Last updated on: 2026-04-23

Assigner: Patchstack

Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress builderpress allows PHP Local File Inclusion.This issue affects BuilderPress: from n/a through <= 2.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27065
EUVD
EUVD-2026-13085
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
thimpress builderpress From 2.0.1|end_including=2.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27065 is a Local File Inclusion (LFI) vulnerability found in the WordPress BuilderPress plugin versions up to and including 2.0.1.

This vulnerability allows unauthenticated attackers to include and display local files from the target website by exploiting improper control of filename parameters in PHP include/require statements.

As a result, attackers can potentially access sensitive information stored in local files, such as database credentials.

Impact Analysis

[{'type': 'paragraph', 'content': 'Exploiting this vulnerability can lead to exposure of sensitive information like database credentials.'}, {'type': 'paragraph', 'content': "With these credentials, an attacker could potentially take over the entire database depending on the website's configuration."}, {'type': 'paragraph', 'content': 'The vulnerability has a very high severity score of 9.8, indicating it is highly dangerous and likely to be exploited in widespread attacks.'}] [1]

Compliance Impact

I don't know

Detection Guidance

The CVE-2026-27065 vulnerability is a Local File Inclusion (LFI) flaw in the WordPress BuilderPress plugin that allows unauthenticated attackers to include and display local files from the target website.

Detection typically involves monitoring for unusual HTTP requests attempting to include local files or scanning the plugin files for vulnerable code patterns.

Since no official patch is available yet, using the mitigation rule provided by Patchstack can help block exploitation attempts.

Specific commands are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include updating the BuilderPress plugin to the latest version if an update becomes available.

Since no official patch is currently available, applying the mitigation rule issued by Patchstack can block attacks exploiting this flaw.

Users are strongly advised to seek assistance from their hosting provider or web developer if updating the plugin is not possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27065. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart