CVE-2026-32503
Local File Inclusion Vulnerability in Trendustry
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| creativews | trendustry | to 1.1.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32503 is a Local File Inclusion (LFI) vulnerability found in the WordPress Trendustry Theme versions up to and including 1.1.4. It allows unauthenticated attackers to include and display local files from the target website by exploiting improper control of filenames in PHP include/require statements.
This means an attacker can access sensitive files on the server, such as configuration files or database credentials, without needing any special privileges.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to serious security risks including exposure of sensitive information like database credentials.
Depending on the website's configuration, attackers could potentially take over the entire database.
Because no authentication is required to exploit this flaw, it poses a high risk and can be targeted in widespread attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The CVE-2026-32503 vulnerability allows unauthenticated attackers to include local files from the target website and display their contents. Detection can involve monitoring for unusual HTTP requests attempting to include local files via the Trendustry theme.
While specific commands are not provided in the resources, typical detection methods for Local File Inclusion (LFI) vulnerabilities include inspecting web server logs for suspicious requests containing file path traversal patterns such as "../" or attempts to include sensitive files like "/etc/passwd".
Network intrusion detection systems (NIDS) or web application firewalls (WAF) can be configured to alert on such patterns.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Trendustry Theme to version 1.1.5 or later, where the vulnerability has been patched.
Until the update can be applied, Patchstack provides a mitigation rule to block attacks targeting this vulnerability, which can be used to protect affected websites.
Applying these mitigations promptly is critical due to the high severity and ease of exploitation of this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-32503 vulnerability allows unauthenticated attackers to include local files from the target website and display their contents, potentially exposing sensitive information such as database credentials.
Exposure of sensitive information due to this Local File Inclusion vulnerability could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.
Therefore, failure to patch or mitigate this vulnerability could result in non-compliance with these common standards and regulations, increasing the risk of legal and financial consequences.