How is CVE-2026-34895 exploited?

Network reachability (required): The plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation to exploit this vulnerability. Authentication (not-required): No account or session token is needed; the vulnerability is exploitable by any unauthenticated HTTP request. Victim interaction (not-required): No user action is required; the attacker interacts directly with the server without any social-engineering step. Attack complexity (info): Exploitation is rated High complexity, meaning the attacker may need to satisfy specific environmental conditions, timing constraints, or craft a precise payload to reliably trigger the file inclusion.

What is the impact of CVE-2026-34895?

A successful attacker can read arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials and secret keys. With write-capable file paths or log-poisoning techniques, the attacker can modify server-side content or inject executable code, compromising the integrity of the application. Full confidentiality, integrity, and availability impact is rated High, meaning the attacker can crash or render the WordPress service unavailable alongside data theft and tampering. In shared-hosting or containerized environments, file disclosure can expose secrets that grant lateral access to adjacent services or databases.

Back to search

HIGHCVE-2026-34895Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-34895: WordPress Softlab Core plugin < 1.2.11 - Local File Inclusion vulnerability

Q: What is CVE-2026-34895?

Local File Inclusion (LFI) is a class of vulnerability where an attacker tricks an application into reading arbitrary files from the server's filesystem by supplying a crafted file path in a request. This vulnerability affects the Softlab Core WordPress plugin by WebGeniusLab in versions below 1.2.11, and is reachable over the network with no authentication required. Successful exploitation gives an attacker full read access to files on the server, the ability to tamper with data, and can disrupt service availability; in many WordPress environments LFI can be chained to achieve remote code execution. A patched-image rebuild at version 1.2.11 is available on HarborGuard for affected environments.

Q: How is CVE-2026-34895 fixed?

A patched-image rebuild pinned to Softlab Core 1.2.11 becomes available through HarborGuard as soon as the upstream package is resolvable. For customers who have opted into auto-remediation, HarborGuard triggers a rebuild, runs the regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Unauthenticated Local File Inclusion in Softlab Core < 1.2.11 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 1.2.11
Affected Products: 1

HarborGuard Analysis

Synopsis

Local File Inclusion (LFI) is a class of vulnerability where an attacker tricks an application into reading arbitrary files from the server's filesystem by supplying a crafted file path in a request. This vulnerability affects the Softlab Core WordPress plugin by WebGeniusLab in versions below 1.2.11, and is reachable over the network with no authentication required. Successful exploitation gives an attacker full read access to files on the server, the ability to tamper with data, and can disrupt service availability; in many WordPress environments LFI can be chained to achieve remote code execution. A patched-image rebuild at version 1.2.11 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-34895 is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the Softlab Core plugin. Any image in a connected registry or CI pipeline running an affected version of the plugin is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.1 HIGH using the recorded CVSS v3.1 vector, and surfaces it with per-environment compliance policy weighting so severity thresholds and exception rules specific to each customer org are applied before routing the finding to the appropriate team inbox.

Available

Patch

A patched-image rebuild pinned to Softlab Core 1.2.11 becomes available through HarborGuard as soon as the upstream package is resolvable. For customers who have opted into auto-remediation, HarborGuard triggers a rebuild, runs the regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The plugin endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the WordPress installation to exploit this vulnerability.
AuthenticationNot required
No account or session token is needed; the vulnerability is exploitable by any unauthenticated HTTP request.
Victim interactionNot required
No user action is required; the attacker interacts directly with the server without any social-engineering step.
Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker may need to satisfy specific environmental conditions, timing constraints, or craft a precise payload to reliably trigger the file inclusion.

Blast Radius

A successful attacker can read arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials and secret keys.
With write-capable file paths or log-poisoning techniques, the attacker can modify server-side content or inject executable code, compromising the integrity of the application.
Full confidentiality, integrity, and availability impact is rated High, meaning the attacker can crash or render the WordPress service unavailable alongside data theft and tampering.
In shared-hosting or containerized environments, file disclosure can expose secrets that grant lateral access to adjacent services or databases.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-34895 is matched against images in connected registries and pipelines within minutes of ingestion, covering any custom WordPress image that bundles the Softlab Core plugin. For environments where the CVSS 8.1 HIGH rating meets or exceeds a customer's configured severity threshold, the finding is routed to the designated team inbox with full compliance policy weighting applied. A rebuilt image at Softlab Core 1.2.11 is made available as soon as the upstream package resolves. For customers with auto-remediation enabled, HarborGuard performs the rebuild, executes the regression test run, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy or change-control requirements prevent automated remediation, the finding remains open and escalated until a manual patch action is recorded.

See how HarborGuard automates this

Fix available

1.2.11

Affected packages

WebGeniusLab / Softlab Core
< 1.2.11 (from n/a)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available