CVE-2026-39661
Deferred Deferred - Pending Action
PHP Local File Inclusion in SW Core

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: Patchstack

Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Magentech SW Core allows PHP Local File Inclusion. This issue affects SW Core: from n/a through 1.7.18.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-39661
EUVD
EUVD-2026-31802
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
magentech sw_core to 1.7.18 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39661 is a Local File Inclusion (LFI) vulnerability in the WordPress SW Core Plugin versions 1.7.18 and below.

This flaw allows attackers to include local files on the target website by exploiting improper control of filename for include/require statements in PHP, potentially exposing sensitive data such as database credentials.

The vulnerability requires contributor-level privileges to exploit and is classified under the OWASP Top 10 category A3: Injection.

Impact Analysis

Exploitation of this vulnerability can lead to exposure of sensitive data like database credentials.

Depending on the server configuration, this could result in a complete database takeover.

The vulnerability has a high severity score of 7.5, indicating significant potential impact, although the likelihood of exploitation is considered low.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WordPress SW Core Plugin to a version above 1.7.18 as soon as an official patch becomes available.

Since there is currently no official patch, users are advised to seek assistance from their hosting provider or web developer to apply temporary mitigations or workarounds.

Updating the plugin reduces the risk of attackers exploiting the Local File Inclusion vulnerability that could expose sensitive data or lead to database takeover.

Compliance Impact

The vulnerability allows attackers to include local files on the target website, potentially exposing sensitive data such as database credentials. This exposure could lead to a complete database takeover depending on the server configuration.

Such unauthorized access and potential data exposure can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39661. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart