CVE-2026-32500
Local File Inclusion Vulnerability in CreativeWS MetaMax
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| creativews | metamax | to 1.1.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32500 is a Local File Inclusion (LFI) vulnerability found in the WordPress MetaMax Theme versions up to and including 1.1.4. This flaw allows unauthenticated attackers to include and display local files from the target website.
By exploiting this vulnerability, attackers can potentially access sensitive information stored in local files, such as database credentials.
The vulnerability is classified under the OWASP Top 10 category A3: Injection and has a high severity score of 8.1, indicating a high risk and likelihood of exploitation.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to unauthorized access to sensitive files on the target website, including database credentials.
Depending on the websiteβs configuration, attackers could achieve a complete database takeover.
This can result in data breaches, loss of data integrity, and potential further compromise of the website and its users.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate the CVE-2026-32500 vulnerability is to update the MetaMax WordPress theme to version 1.1.5 or later, where the issue has been patched.
If updating immediately is not possible, applying the mitigation rule provided by Patchstack can block attacks exploiting this vulnerability until the update is applied.
Users unable to update or apply the mitigation rule should seek assistance from their hosting provider or web developer to ensure protection against exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-32500 vulnerability allows unauthenticated attackers to include and display local files from the target website, potentially exposing sensitive information such as database credentials. This exposure of sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.
Exploitation of this vulnerability could result in a complete database takeover depending on the websiteβs configuration, increasing the risk of data breaches and non-compliance with security standards mandated by these regulations.
Therefore, failure to promptly patch or mitigate this vulnerability may lead to non-compliance with common standards and regulations that mandate protection of sensitive data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a Local File Inclusion (LFI) flaw in the MetaMax WordPress theme up to version 1.1.4, allowing attackers to include and display local files. Detection typically involves monitoring for suspicious HTTP requests attempting to exploit the include/require statement by injecting file paths.
To detect exploitation attempts on your web server, you can search your web server logs for requests containing suspicious parameters that include local file paths or traversal sequences such as "../".
- Use grep or similar tools to scan access logs for suspicious patterns, for example:
- grep -iE "(\.{2}/|etc/passwd|boot.ini|\%00)" /var/log/apache2/access.log
- Look for unusual query parameters that might be used to include files, such as 'page=', 'file=', or 'include='.
Additionally, web application firewalls (WAFs) or security plugins can be configured to detect and block such LFI attempts. Patchstack provides a mitigation rule that can block attacks exploiting this vulnerability until the theme is updated.