CVE-2026-34894: WordPress Integrio Core plugin < 1.2.8 - Local File Inclusion vulnerability
Unauthenticated Local File Inclusion in Integrio Core < 1.2.8 versions.
Metrics
- CVSS v3.1
- 8.1
- Severity
- HIGH
- Fixed in
- 1.2.8
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Local File Inclusion (LFI) is an unauthenticated vulnerability in the Integrio Core WordPress plugin by WebGeniusLab affecting versions before 1.2.8. The flaw is reachable over the network and requires no credentials, though exploitation involves conditions that raise its complexity. A successful attacker can read arbitrary files from the server, tamper with application data, and disrupt service availability. A patched-image rebuild at version 1.2.8 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images and pipeline builds, including custom-built WordPress images that bundle the Integrio Core plugin.
AvailableHarborGuard is capable of scoring this finding at CVSS 8.1 (HIGH) and weighting it against each environment's compliance policy, then routing the alert to the team inbox configured for that customer org.
AvailableA patched-image rebuild at Integrio Core 1.2.8 becomes available on HarborGuard for any image found to include an affected version. For customers who opt into auto-remediation, HarborGuard runs a rebuild, executes regression tests, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
- AuthenticationNot required
No account or session token is needed; the vulnerable code path is accessible to unauthenticated requests.
- Victim interactionNot required
The attacker does not need to involve a user or administrator to trigger the vulnerability.
- Attack complexityDetail
Attack complexity is rated High, meaning the exploit depends on specific conditions such as file path guessing or particular server configurations that the attacker cannot fully control.
Blast Radius
- An attacker can read arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials and secret keys.
- An attacker can tamper with application data or inject content by including writable files, potentially leading to code execution depending on server configuration.
- The integrity of the WordPress installation can be undermined, allowing persistent modification of site behavior or content.
- Service availability can be disrupted by including files that trigger fatal errors or exhaust server resources.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-34894 is active across all customer environments, matching images that bundle Integrio Core below version 1.2.8 as soon as a scan runs. Where compliance policy permits, auto-remediation customers receive a rebuilt image pinned to version 1.2.8, followed by an automated regression-test run and a PR opened against any affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For teams not yet on auto-remediation, HarborGuard surfaces the finding with CVSS 8.1 severity and recommended fix version so engineers can prioritize and act manually. As an interim compensating control, restricting public HTTP access to the WordPress installation via network policy or a web application firewall rule reduces the exploitable surface until the plugin is updated.
Fix available
- WebGeniusLab / Integrio Core< 1.2.8 (from n/a)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H