How is CVE-2026-34893 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress service via HTTP or HTTPS. Authentication (not-required): No account or session token is needed; the vulnerable code path is accessible to any anonymous request. Victim interaction (not-required): Exploitation is entirely attacker-driven and does not require any action from a site administrator or user. Attack complexity (info): Exploitation is rated high complexity, meaning the attacker must account for specific server-side conditions such as particular PHP configurations, file path constraints, or other environmental factors that are not guaranteed to be present.

What is the impact of CVE-2026-34893?

Reads arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials and secret keys. Modifies or overwrites server-side data if the included file can be chained to a write primitive, compromising data integrity. Crashes the web server process or the PHP runtime by forcing inclusion of binary or malformed files, causing a service outage.

Back to search

HIGHCVE-2026-34893Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-34893: WordPress Thegov Core plugin < 2.0.23 - Local File Inclusion vulnerability

Q: What is CVE-2026-34893?

Local File Inclusion (LFI) is a vulnerability in the Thegov Core WordPress plugin by WebGeniusLab affecting all versions below 2.0.23. The flaw is reachable over the network without any authentication, though successful exploitation requires overcoming high-complexity conditions such as specific server configurations or environmental factors. A successful attack gives the attacker full read access to files on the server, the ability to modify data, and can crash or fully compromise the affected service. A patched-image rebuild at version 2.0.23 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-34893 fixed?

A patched-image rebuild at Thegov Core version 2.0.23 becomes available for scanning and deployment once the upstream package is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against the affected workloads automatically.

Unauthenticated Local File Inclusion in Thegov Core < 2.0.23 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 2.0.23
Affected Products: 1

HarborGuard Analysis

Synopsis

Local File Inclusion (LFI) is a vulnerability in the Thegov Core WordPress plugin by WebGeniusLab affecting all versions below 2.0.23. The flaw is reachable over the network without any authentication, though successful exploitation requires overcoming high-complexity conditions such as specific server configurations or environmental factors. A successful attack gives the attacker full read access to files on the server, the ability to modify data, and can crash or fully compromise the affected service. A patched-image rebuild at version 2.0.23 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images and pipeline builds, including custom-built WordPress images that bundle the Thegov Core plugin.

Available

Triage

HarborGuard scores this finding at CVSS 8.1 (HIGH) and weights it against each customer environment's compliance policy, then routes the alert to the appropriate team inbox within the customer org.

Available

Patch

A patched-image rebuild at Thegov Core version 2.0.23 becomes available for scanning and deployment once the upstream package is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a PR against the affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress service via HTTP or HTTPS.
AuthenticationNot required
No account or session token is needed; the vulnerable code path is accessible to any anonymous request.
Victim interactionNot required
Exploitation is entirely attacker-driven and does not require any action from a site administrator or user.
Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must account for specific server-side conditions such as particular PHP configurations, file path constraints, or other environmental factors that are not guaranteed to be present.

Blast Radius

Reads arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials and secret keys.
Modifies or overwrites server-side data if the included file can be chained to a write primitive, compromising data integrity.
Crashes the web server process or the PHP runtime by forcing inclusion of binary or malformed files, causing a service outage.

How HarborGuard Handles This

Available on HarborGuard: images containing Thegov Core below version 2.0.23 are flagged automatically within minutes of CVE ingestion, scored at CVSS 8.1 HIGH, and surfaced to the responsible team based on each customer environment's compliance policy routing rules. A patched rebuild targeting version 2.0.23 is available for environments where the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs regression tests against the new image, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled, the finding appears in the customer dashboard with remediation guidance and a direct link to the upstream changelog. Until the patched image is deployed, compensating controls such as network-policy rules that restrict external access to the WordPress service, web application firewall rules blocking path-traversal patterns in request parameters, and egress filtering to limit server-side file access are worth considering.

See how HarborGuard automates this

Fix available

2.0.23

Affected packages

WebGeniusLab / Thegov Core
< 2.0.23 (from n/a)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available