How is CVE-2026-39522 exploited?

Network reachability (required): The attacker must reach the vulnerable WordPress endpoint over the network; no prior foothold on the host is needed. Authentication (not-required): No account or session token is required; the vulnerable code path is accessible to any anonymous HTTP request. Victim interaction (not-required): The attacker does not need to trick any user into taking an action; exploitation is entirely attacker-driven. Attack complexity (info): Attack complexity is rated High, meaning the attacker must overcome specific environmental conditions or timing factors, such as knowledge of file paths or server configuration, to succeed reliably.

What is the impact of CVE-2026-39522?

A successful attacker reads arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials and secret keys. With database credentials in hand, the attacker can read or modify all data stored in the WordPress database, including user account records, session tokens, and site content. Depending on server configuration, the attacker can achieve remote code execution by including a file containing attacker-controlled content, giving full control over the web server process. All three impact dimensions (confidentiality, integrity, and availability) are rated High, so a complete compromise of the affected WordPress installation is within scope of exploitation.

Back to search

HIGHCVE-2026-39522Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-39522: WordPress Solene theme <= 3.4 - Local File Inclusion vulnerability

Q: What is CVE-2026-39522?

This is a Local File Inclusion (LFI) vulnerability in the WordPress Solene theme versions 3.4 and earlier. An unauthenticated attacker can reach the vulnerable endpoint over the network and supply a crafted file path to trick the server into loading arbitrary local files. Successful exploitation reads sensitive files from the server, tampers with application behavior, and can enable full remote code execution depending on available server-side files. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream ships a fix.

Q: Is CVE-2026-39522 patched?

Because no upstream fix version exists for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Elated-Themes publishes a corrected release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Unauthenticated Local File Inclusion in Solene <= 3.4 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a Local File Inclusion (LFI) vulnerability in the WordPress Solene theme versions 3.4 and earlier. An unauthenticated attacker can reach the vulnerable endpoint over the network and supply a crafted file path to trick the server into loading arbitrary local files. Successful exploitation reads sensitive files from the server, tampers with application behavior, and can enable full remote code execution depending on available server-side files. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory, within minutes of publication and matched against any customer image that packages the Solene theme at version 3.4 or earlier, including custom-built WordPress images. Coverage extends to images in connected registries and images built inside CI/CD pipelines.

Available

Triage

HarborGuard can score this finding at CVSS 8.1 (HIGH) and weight it further against each environment's compliance policy to determine urgency and routing. The resulting alert is directed to the appropriate team inbox within the customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version exists for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Elated-Themes publishes a corrected release. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the vulnerable WordPress endpoint over the network; no prior foothold on the host is needed.
AuthenticationNot required
No account or session token is required; the vulnerable code path is accessible to any anonymous HTTP request.
Victim interactionNot required
The attacker does not need to trick any user into taking an action; exploitation is entirely attacker-driven.
Attack complexityDetail
Attack complexity is rated High, meaning the attacker must overcome specific environmental conditions or timing factors, such as knowledge of file paths or server configuration, to succeed reliably.

Blast Radius

A successful attacker reads arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials and secret keys.
With database credentials in hand, the attacker can read or modify all data stored in the WordPress database, including user account records, session tokens, and site content.
Depending on server configuration, the attacker can achieve remote code execution by including a file containing attacker-controlled content, giving full control over the web server process.
All three impact dimensions (confidentiality, integrity, and availability) are rated High, so a complete compromise of the affected WordPress installation is within scope of exploitation.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-39522 is active across connected registries and pipelines, matching any image that bundles the Solene theme at version 3.4 or earlier. Because no upstream patch exists yet, HarborGuard monitors the Patchstack advisory and the Elated-Themes release feed on every ingest cycle. When a fix is published, a patched-image rebuild becomes available immediately; for customers who opt into auto-remediation, a rebuild is triggered, a regression test suite is run, and a PR is opened against affected workloads automatically. In the interim, compensating controls worth considering include network-policy rules that restrict public access to the specific PHP endpoints involved in file inclusion, egress filtering to limit outbound connections from the WordPress container, and disabling or replacing the Solene theme with a maintained alternative where the site design permits.

See how HarborGuard automates this

Affected packages

Elated-Themes / Solene
≤ 3.4

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified