CVE-2026-32537
Local File Inclusion in nK Visual Portfolio
Publication date: 2026-03-25
Last updated on: 2026-03-25
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nk_visual_portfolio | visual_portfolio | to 3.5.1 (inc) |
| patchstack | visual_portfolio | to 3.5.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32537 is a Local File Inclusion (LFI) vulnerability found in the WordPress Visual Portfolio, Photo Gallery & Post Grid Plugin versions up to and including 3.5.1.
This vulnerability allows an attacker to include and display local files from the target website by exploiting improper control of filenames in PHP include/require statements.
As a result, sensitive information such as database credentials can be exposed, potentially leading to a complete database takeover depending on the website's configuration.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to the exposure of sensitive files on the server, including database credentials.
This exposure can result in a complete database takeover, compromising the confidentiality, integrity, and availability of the website's data.
The vulnerability requires only subscriber-level privileges to exploit, making it easier for attackers with limited access to cause significant damage.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The CVE-2026-32537 vulnerability is a Local File Inclusion (LFI) issue affecting the WordPress Visual Portfolio, Photo Gallery & Post Grid Plugin versions up to 3.5.1. Detection typically involves monitoring for attempts to include local files via the plugin's parameters.
While specific commands are not provided in the resources, common detection methods include checking web server logs for suspicious requests containing file inclusion patterns, such as parameters attempting to include files like /etc/passwd or other sensitive files.
Additionally, using web application firewalls (WAFs) or security plugins that monitor for LFI attack patterns can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to update the Visual Portfolio, Photo Gallery & Post Grid Plugin to version 3.5.2 or later, where the vulnerability has been patched.
If updating immediately is not possible, applying the automatic mitigation rule provided by Patchstack to block attacks targeting this vulnerability is recommended.
Users unable to update or apply the mitigation rule should seek assistance from their hosting provider or web developer.
Additionally, enabling continuous security monitoring and auto-updates for vulnerable plugins can help protect the website from exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-32537 vulnerability allows attackers to include and display local files from the target website, potentially exposing sensitive information such as database credentials. This exposure of sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information.
Because exploitation can lead to a complete database takeover depending on the website's configuration, organizations affected by this vulnerability may face compliance risks related to unauthorized access and data breaches.
Mitigation by updating the plugin to version 3.5.2 or later is critical to reduce the risk of non-compliance with these standards.