CVE-2026-32504
Local File Inclusion Vulnerability in CreativeWS VintWood
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| creativews | vintwood | to 1.1.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32504 is a Local File Inclusion (LFI) vulnerability found in the WordPress VintWood Theme versions up to 1.1.8. This vulnerability allows unauthenticated attackers to include and display local files from the target website.
By exploiting this flaw, attackers can access sensitive information stored in local files, such as database credentials, which could lead to further compromise of the website.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including exposure of sensitive local files and database credentials.
If exploited, it could lead to a complete database takeover depending on the website's configuration.
Because the vulnerability requires no authentication, any attacker can exploit it remotely, increasing the risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability allows unauthenticated attackers to include local files from the target website and display their contents. Detection can involve monitoring for suspicious HTTP requests attempting to exploit Local File Inclusion (LFI) patterns targeting the VintWood theme.
While specific commands are not provided, typical detection methods include inspecting web server logs for requests containing suspicious parameters that attempt to include local files, such as those with directory traversal sequences (e.g., ../) or attempts to access sensitive files.
Using tools like grep on server logs to search for suspicious patterns or using web application firewalls with rules to detect LFI attempts can help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate recommended step is to update the WordPress VintWood Theme to version 1.1.9 or later, which contains the patch for this Local File Inclusion vulnerability.
Until the update can be applied, it is advised to use Patchstack mitigation rules that block attacks targeting this vulnerability to protect the website from exploitation.
Taking these steps will reduce the risk of exposure of local files, potential database credential leakage, and possible full database takeover.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to include and display local files from the target website, potentially exposing sensitive information such as database credentials. This exposure could lead to a complete database takeover depending on the website's configuration.
Such exposure of sensitive data can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information. If attackers access or leak personal data due to this vulnerability, it could lead to violations of these regulations.
Therefore, failure to patch or mitigate this vulnerability may increase the risk of data breaches and regulatory non-compliance.