Cyber Resilience

CVE-2026-32369

High

Published: 13 March 2026

Published
13 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0017 38.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32369 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32369 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Local File Inclusion issue (CWE-98), affecting the RadiusTheme Medilink-Core WordPress plugin. Published on 2026-03-13, it impacts all versions of Medilink-Core from n/a through those prior to 2.0.7. The vulnerability arises from inadequate validation of filenames used in PHP include/require statements, enabling attackers to manipulate file paths for local file inclusion.

Exploitation requires network access with high attack complexity and low privileges (PR:L), such as an authenticated low-privileged WordPress user, and no user interaction. Successful attacks can result in high impacts on confidentiality, integrity, and availability (CVSSv3.1 score of 7.5: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H), potentially allowing sensitive file disclosure, data modification, or denial of service through included local files.

The Patchstack advisory for this vulnerability, detailing the Local File Inclusion flaw in the Medilink-Core plugin, indicates that it was addressed in version 2.0.7. Security practitioners should urge users to update to Medilink-Core 2.0.7 or later to mitigate the issue.

EU & UK References

Vulnerability details

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Medilink-Core medilink-core allows PHP Local File Inclusion.This issue affects Medilink-Core: from n/a through < 2.0.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

LFI in public-facing WordPress plugin enables T1190 exploitation; directly facilitates arbitrary local file reads for T1005 data disclosure and T1552.001 credential theft from files like configs.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32400Shared CWE-98
CVE-2026-22371Shared CWE-98
CVE-2026-28059Shared CWE-98
CVE-2025-60066Shared CWE-98
CVE-2025-60042Shared CWE-98
CVE-2025-60056Shared CWE-98
CVE-2025-62010Shared CWE-98
CVE-2026-22495Shared CWE-98
CVE-2026-25382Shared CWE-98
CVE-2025-69049Shared CWE-98

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the core vulnerability by requiring validation of filename inputs to prevent path manipulation in PHP include/require statements.

prevent

Mitigates the specific flaw by mandating timely remediation through patching to Medilink-Core 2.0.7 or later.

prevent

Prevents exploitation by restricting filename inputs to only explicitly permitted safe values, blocking malicious local file paths.

References