CVE-2026-34894
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated Local File Inclusion in Integrio Core < 1.2.8 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-34894
EUVD
EUVD-2026-37466
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
patchstack integrio_core to 1.2.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WordPress Integrio Core Plugin versions prior to 1.2.8 contain a Local File Inclusion (LFI) vulnerability. This flaw allows unauthenticated attackers to include local files on the target website.

Exploiting this vulnerability can expose sensitive data such as database credentials and may lead to a complete database takeover in certain configurations.

The vulnerability has a high severity score of 8.1, indicating a significant risk.

Impact Analysis

This vulnerability can have severe impacts including exposure of sensitive data like database credentials.

In some cases, attackers can achieve a complete takeover of the database, compromising the integrity, confidentiality, and availability of your data.

Because the vulnerability is exploitable without authentication, it poses a high risk and may be targeted in mass-exploit campaigns.

Detection Guidance

The vulnerability allows unauthenticated Local File Inclusion (LFI) in Integrio Core versions prior to 1.2.8, which can be detected by monitoring for suspicious HTTP requests attempting to include local files.

While specific commands are not provided, typical detection methods include inspecting web server logs for unusual URL parameters that reference local files, or using web application firewall (WAF) rules to detect and block LFI attack patterns.

Patchstack has provided a mitigation rule to block attacks until the plugin is updated, which can also aid in detection by logging blocked attempts.

Mitigation Strategies

The immediate recommended step is to update the Integrio Core plugin to version 1.2.8 or later, which contains the fix for this Local File Inclusion vulnerability.

Until the update can be applied, it is advised to implement the mitigation rule provided by Patchstack to block attacks exploiting this vulnerability.

Compliance Impact

The vulnerability allows unauthenticated attackers to include local files on the target website, potentially exposing sensitive data such as database credentials and leading to a complete database takeover in certain configurations.

Exposure of sensitive data due to this vulnerability could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Therefore, failing to address this vulnerability may result in violations of these standards and regulations, increasing the risk of legal and financial consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34894. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart