CVE-2026-24538

High

Published: 23 January 2026

Published

23 January 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 37.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24538 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

LFI flaw in public-facing WordPress/PHP plugin directly enables T1190 initial access and subsequent web shell deployment/execution via arbitrary file inclusion.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in omnipressteam Omnipress omnipress allows PHP Local File Inclusion.This issue affects Omnipress: from n/a through <= 1.6.7.

Deeper analysisAI

CVE-2026-24538 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion issue that enables PHP Local File Inclusion (CWE-98). It affects the Omnipress WordPress plugin developed by omnipressteam, impacting all versions from n/a through 1.6.7.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network by an attacker possessing low privileges. It requires high attack complexity and no user interaction, with successful attacks enabling high impacts on confidentiality, integrity, and availability through local file inclusion.

Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/omnipress/vulnerability/wordpress-omnipress-plugin-1-6-6-local-file-inclusion-vulnerability?_s_id=cve, provide details on the vulnerability in the Omnipress plugin.

Details

CWE(s): CWE-98

CVEs Like This One

CVE-2025-58214Shared CWE-98

CVE-2025-54701Shared CWE-98

CVE-2025-7327Shared CWE-98

CVE-2026-27894Shared CWE-98

CVE-2024-51319Shared CWE-98

CVE-2025-49436Shared CWE-98

CVE-2025-69078Shared CWE-98

CVE-2026-27383Shared CWE-98

CVE-2025-58967Shared CWE-98

CVE-2025-0366Shared CWE-98

References

https://patchstack.com/database/Wordpress/Plugin/omnipress/vulnerability/wordpress-omnipress-plugin-1-6-6-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com