CVE-2026-39661
BaseFortify
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| magentech | sw_core | to 1.7.18 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to include local files on the target website, potentially exposing sensitive data such as database credentials. This exposure could lead to a complete database takeover depending on the server configuration.
Such unauthorized access and potential data exposure can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access.
Can you explain this vulnerability to me?
CVE-2026-39661 is a Local File Inclusion (LFI) vulnerability in the WordPress SW Core Plugin versions 1.7.18 and below.
This flaw allows attackers to include local files on the target website by exploiting improper control of filename for include/require statements in PHP, potentially exposing sensitive data such as database credentials.
The vulnerability requires contributor-level privileges to exploit and is classified under the OWASP Top 10 category A3: Injection.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to exposure of sensitive data like database credentials.
Depending on the server configuration, this could result in a complete database takeover.
The vulnerability has a high severity score of 7.5, indicating significant potential impact, although the likelihood of exploitation is considered low.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the WordPress SW Core Plugin to a version above 1.7.18 as soon as an official patch becomes available.
Since there is currently no official patch, users are advised to seek assistance from their hosting provider or web developer to apply temporary mitigations or workarounds.
Updating the plugin reduces the risk of attackers exploiting the Local File Inclusion vulnerability that could expose sensitive data or lead to database takeover.