{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32426", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:11:26.571Z", "datePublished": "2026-03-13T11:42:17.181Z", "dateUpdated": "2026-04-29T09:51:59.103Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "medilazar-core", "product": "Medilazar Core", "vendor": "themelexus", "versions": [{"changes": [{"at": "1.4.7", "status": "unaffected"}], "lessThanOrEqual": "1.4.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:06:15.028Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themelexus Medilazar Core medilazar-core allows PHP Local File Inclusion.<p>This issue affects Medilazar Core: from n/a through < 1.4.7.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themelexus Medilazar Core medilazar-core allows PHP Local File Inclusion.This issue affects Medilazar Core: from n/a through < 1.4.7."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:51:59.103Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/medilazar-core/vulnerability/wordpress-medilazar-core-plugin-1-4-7-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Medilazar Core plugin < 1.4.7 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T17:58:37.139354Z", "id": "CVE-2026-32426", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T17:59:04.378Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32426", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-13T17:58:37.139354Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T17:55:57.004Z"}}], "cna": {"title": "WordPress Medilazar Core plugin < 1.4.7 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "affected": [{"vendor": "themelexus", "product": "Medilazar Core", "versions": [{"status": "affected", "changes": [{"at": "1.4.7", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "< 1.4.7"}], "packageName": "medilazar-core", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-03-13T12:41:20.634Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/medilazar-core/vulnerability/wordpress-medilazar-core-plugin-1-4-7-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themelexus Medilazar Core medilazar-core allows PHP Local File Inclusion.This issue affects Medilazar Core: from n/a through < 1.4.7.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themelexus Medilazar Core medilazar-core allows PHP Local File Inclusion.<p>This issue affects Medilazar Core: from n/a through < 1.4.7.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-13T11:42:17.181Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32426", "state": "PUBLISHED", "dateUpdated": "2026-03-13T17:59:04.378Z", "dateReserved": "2026-03-12T11:11:26.571Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-13T11:42:17.181Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themelexus Medilazar Core medilazar-core allows PHP Local File Inclusion.This issue affects Medilazar Core: from n/a through < 1.4.7."}, {"lang": "es", "value": "Control Inadecuado del Nombre de Fichero para la Sentencia Include/Require en Programa PHP ('Inclusi\u00f3n Remota de Ficheros PHP') vulnerabilidad en themelexus Medilazar Core medilazar-core permite la Inclusi\u00f3n Local de Ficheros PHP. Este problema afecta a Medilazar Core: desde n/a hasta &lt; 1.4.7."}], "id": "CVE-2026-32426", "lastModified": "2026-04-22T21:30:26.497", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-13T19:55:00.960", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/medilazar-core/vulnerability/wordpress-medilazar-core-plugin-1-4-7-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.7)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Medilazar Core", "source": "cna", "vendor": "themelexus"}, "product": "medilazar_core", "vendor": "themelexus"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-19T15:17:10.647704+00:00", "value": {"mitigation_remediation": ["Update the Medilazar Core plugin to version 1.4.7 or later", "If immediate update is not possible, restrict access to the plugin's affected file inclusions using file access controls or input validation", "Verify that all WordPress installations are running the patched version and that no unpatched copies remain"], "summary": {"action": "Apply Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "This vulnerability affects all releases of the Medilazar Core plugin from the first available version up to, but excluding, version 1.4.7. WordPress sites using any of these earlier versions of the plugin, regardless of theme or host, are potentially impacted. The affected product is the Medilazar Core plugin developed by themelexus.", "description_and_impact": "The Medilazar Core plugin for WordPress contains an improper control of filename when using PHP's include/require statements, resulting in a local file inclusion (LFI) flaw. An attacker can supply a crafted file path that the plugin blindly includes, potentially revealing sensitive files or executing arbitrary PHP code if the attacker can provide a PHP file. This weakness corresponds to CWE-98 and threatens confidentiality, integrity, and availability of the affected WordPress site.", "risk_and_exploitability": "The CVSS score of 7.5 marks it as high severity, while the EPSS score of less than 1% suggests a low current exploitation probability and it is not listed in the CISA KEV catalog. The likely attack vector is through an LFI that can be triggered by manipulating a user-supplied filename parameter or similar input. Security teams should treat this as a high\u2011risk vulnerability and prioritize patching or hardening measures."}}}}, "created": "2026-03-16T09:33:46.293891+00:00", "updated": "2026-03-23T12:03:38.328644+00:00", "vendors": ["themelexus", "themelexus$PRODUCT$medilazar_core", "wordpress", "wordpress$PRODUCT$wordpress"]}