CVE-2026-32400

High

Published: 13 March 2026

Published

13 March 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 34.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32400 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

LFI in public-facing WordPress theme directly enables T1190 exploitation; arbitrary local file includes facilitate T1005 data collection and T1552.001 credential file reads (e.g. wp-config.php).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemetechMount Boldman boldman allows PHP Local File Inclusion.This issue affects Boldman: from n/a through <= 7.7.

Deeper analysisAI

CVE-2026-32400 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, referred to as PHP Remote File Inclusion, in the Boldman WordPress theme developed by ThemetechMount. The flaw enables PHP Local File Inclusion and affects Boldman theme versions from n/a through 7.7. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-98.

Low-privileged remote attackers can exploit this vulnerability over the network. Exploitation requires high attack complexity and low privileges (PR:L), with no user interaction needed. Successful attacks can result in high impacts to confidentiality, integrity, and availability.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/boldman/vulnerability/wordpress-boldman-theme-7-7-local-file-inclusion-vulnerability?_s_id=cve documents this Local File Inclusion issue in the WordPress Boldman theme version 7.7. Practitioners should review the advisory for specific mitigation recommendations.

Details

CWE(s): CWE-98

CVEs Like This One

CVE-2026-22364Shared CWE-98

CVE-2025-60198Shared CWE-98

CVE-2025-67530Shared CWE-98

CVE-2026-27996Shared CWE-98

CVE-2026-22412Shared CWE-98

CVE-2026-28059Shared CWE-98

CVE-2025-58925Shared CWE-98

CVE-2025-62010Shared CWE-98

CVE-2026-32393Shared CWE-98

CVE-2026-25382Shared CWE-98

References

https://patchstack.com/database/Wordpress/Theme/boldman/vulnerability/wordpress-boldman-theme-7-7-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com