CVE-2026-39677
Published: 08 April 2026
Summary
CVE-2026-39677 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-39677 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion but enabling PHP Local File Inclusion, in the Emphires WordPress theme developed by Creatives_Planet. This issue affects all versions of Emphires from n/a through 3.9 and is associated with CWE-98. The vulnerability was published on 2026-04-08.
The vulnerability carries a CVSS v3.1 base score of 7.5 (High), with an attack vector of Network (AV:N), high attack complexity (AC:H), low privileges required (PR:L), no user interaction (UI:N), and unchanged scope (S:U). An attacker meeting these conditions can achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing unauthorized access to local files on the server.
Advisories, including the Patchstack database entry at https://patchstack.com/database/Wordpress/Theme/emphires/vulnerability/wordpress-emphires-theme-3-9-local-file-inclusion-vulnerability?_s_id=cve, provide details on the vulnerability in the Emphires WordPress theme version 3.9.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20357
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Emphires emphires allows PHP Local File Inclusion.This issue affects Emphires: from n/a through <= 3.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI vulnerability in public-facing WordPress theme enables exploitation of public-facing applications (T1190) and direct unauthorized access to local server files (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the known PHP Local File Inclusion flaw in the Emphires WordPress theme to prevent exploitation.
Mandates validation of user-supplied filenames before use in PHP include/require statements to block malicious local file inclusion paths.
Enforces secure PHP configuration settings such as open_basedir restrictions and disabling allow_url_include to mitigate file inclusion vulnerabilities.