CVE-2026-34895
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Patchstack

Description
Unauthenticated Local File Inclusion in Softlab Core < 1.2.11 versions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-34895
EUVD
EUVD-2026-37467
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
softlab core to 1.2.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34895 is a Local File Inclusion (LFI) vulnerability found in the WordPress Softlab Core Plugin versions prior to 1.2.11. This vulnerability allows unauthenticated attackers to include local files on the target website.

Exploiting this flaw can lead to exposure of sensitive data such as database credentials and may result in a complete database takeover.

The vulnerability is considered high priority with a CVSS score of 8.1 and falls under the OWASP Top 10 category A3: Injection.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive information like database credentials.

Attackers can potentially take over the entire database, leading to data breaches, data loss, or manipulation.

Because the vulnerability is exploitable without authentication, it poses a significant risk and may be targeted in widespread attack campaigns.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the WordPress Softlab Core Plugin to version 1.2.11 or later.

If updating the plugin is not possible immediately, users should seek assistance from their hosting provider or web developer.

Additionally, Patchstack has provided a mitigation rule to block attacks targeting this vulnerability until the plugin can be updated.

Compliance Impact

The vulnerability allows unauthenticated attackers to include local files on the target website, potentially exposing sensitive data such as database credentials and enabling a complete database takeover.

Exposure of sensitive data due to this vulnerability could lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Therefore, organizations using affected versions of the Softlab Core plugin may face increased risk of violating these regulations if the vulnerability is exploited.

Detection Guidance

The vulnerability is a Local File Inclusion (LFI) in the WordPress Softlab Core Plugin versions prior to 1.2.11, exploitable without authentication. Detection typically involves monitoring for suspicious HTTP requests attempting to include local files.

To detect exploitation attempts on your system or network, you can look for HTTP requests containing typical LFI payloads such as directory traversal patterns (e.g., ../) or attempts to access sensitive files like /etc/passwd or wp-config.php.

  • Use web server access logs to search for suspicious requests, for example with grep:
  • grep -iE "(\.{2}/|etc/passwd|wp-config\.php)" /var/log/apache2/access.log
  • Use network monitoring tools or intrusion detection systems (IDS) with rules to detect LFI patterns targeting the Softlab Core plugin.
  • Apply the mitigation rule provided by Patchstack to block attack attempts until the plugin is updated.

Immediate updating of the plugin to version 1.2.11 or later is the recommended action to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34895. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart