CVE-2026-32426

High

Published: 13 March 2026

Published

13 March 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 34.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32426 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

LFI in public-facing WordPress plugin directly enables remote exploitation (T1190), local file reads for data access (T1005), and privilege escalation from low-priv authenticated user to full C/I/A impact via code execution (T1068).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themelexus Medilazar Core medilazar-core allows PHP Local File Inclusion.This issue affects Medilazar Core: from n/a through < 1.4.7.

Deeper analysisAI

CVE-2026-32426 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified under CWE-98, affecting the Medilazar Core WordPress plugin developed by themelexus. Specifically, it enables PHP Local File Inclusion despite being described as a PHP Remote File Inclusion issue. The vulnerability impacts all versions of Medilazar Core from n/a through those prior to 1.4.7. It carries a CVSS v3.1 base score of 7.5 (High), with vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility but high attack complexity.

Attackers with low privileges, such as authenticated users with limited roles on a vulnerable WordPress site, can exploit this remotely over the network without user interaction. Successful exploitation allows high-impact confidentiality, integrity, and availability violations, potentially enabling attackers to read sensitive local files, execute arbitrary code via included files, modify site data, or disrupt service.

The Patchstack advisory confirms the Local File Inclusion vulnerability in the Medilazar Core plugin and recommends updating to version 1.4.7 or later to mitigate it, as prior versions remain susceptible.

Details

CWE(s): CWE-98

CVEs Like This One

CVE-2025-69040Shared CWE-98

CVE-2025-69037Shared CWE-98

CVE-2026-25464Shared CWE-98

CVE-2026-22516Shared CWE-98

CVE-2025-53447Shared CWE-98

CVE-2025-22509Shared CWE-98

CVE-2026-22464Shared CWE-98

CVE-2025-58225Shared CWE-98

CVE-2025-69004Shared CWE-98

CVE-2025-69399Shared CWE-98

References

https://patchstack.com/database/Wordpress/Plugin/medilazar-core/vulnerability/wordpress-medilazar-core-plugin-1-4-7-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com