CVE-2026-27334
Local File Inclusion in Alchemists PHP β€ 4.6.0 Allows Code Execution
Publication date: 2026-03-05
Last updated on: 2026-03-09
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| patchstack | alchemists | From 4.0.0 (inc) to 4.6.0 (inc) |
| dan_fisher | alchemists | to 4.6.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27334 is a Local File Inclusion (LFI) vulnerability in the WordPress Alchemists Theme versions up to and including 4.6.0. It allows an unauthenticated attacker to include and display local files from the target website by exploiting improper control of filename for include/require statements in PHP.
This vulnerability is classified under OWASP Top 10 A3: Injection and can expose sensitive files such as those containing database credentials.
How can this vulnerability impact me? :
Exploiting this vulnerability could lead to exposure of sensitive files on the server, including database credentials.
Depending on the server configuration, this could result in a complete database takeover.
Since the vulnerability requires no authentication to exploit, it poses a high risk and urgency for mitigation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'CVE-2026-27334 is a Local File Inclusion (LFI) vulnerability that allows an unauthenticated attacker to include and display local files from the target website. Detection typically involves monitoring for suspicious HTTP requests attempting to include local files via the vulnerable parameter in the Alchemists WordPress theme.'}, {'type': 'paragraph', 'content': 'While no specific detection commands are provided, common approaches include inspecting web server logs for requests containing suspicious file inclusion patterns such as "../" sequences or attempts to access sensitive files like /etc/passwd or configuration files.'}, {'type': 'paragraph', 'content': 'Network or system administrators can use tools like grep on access logs to find such patterns, for example:'}, {'type': 'list_item', 'content': 'grep -iE "(\\.{2}/|etc/passwd|config\\.php)" /var/log/apache2/access.log'}, {'type': 'list_item', 'content': 'tail -f /var/log/apache2/access.log | grep --line-buffered "include"'}, {'type': 'paragraph', 'content': 'Additionally, web application firewalls (WAFs) or intrusion detection systems (IDS) with rules targeting LFI attempts can help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Since no official patch is currently available for CVE-2026-27334, immediate mitigation should focus on applying the mitigation rule provided by Patchstack to block attacks exploiting this vulnerability.
Users are strongly advised to implement this mitigation as soon as possible to protect their websites from unauthenticated Local File Inclusion attacks.
Additional steps include:
- Deploy a web application firewall (WAF) with rules to detect and block LFI attack patterns.
- Monitor web server logs for suspicious file inclusion attempts.
- Restrict file permissions on the server to limit access to sensitive files.
- Consider temporarily disabling or replacing the vulnerable Alchemists theme until an official patch is released.