How is CVE-2026-39523 exploited?

Network reachability (required): The attacker must reach the WordPress service over the network; no local or physical access to the host is needed. Authentication (not-required): No account or session credential is required; the vulnerable code path is reachable by any unauthenticated HTTP request. Victim interaction (not-required): No user action such as clicking a link or visiting a page is needed to trigger the vulnerability. Attack complexity (info): Attack complexity is rated High, meaning the attacker must satisfy specific environmental conditions, configuration states, or timing factors to reliably trigger the file inclusion.

What is the impact of CVE-2026-39523?

Reads arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials and secret keys. Reads operating system files such as /etc/passwd, application logs, or private keys accessible to the web server process. In configurations where file inclusion can reach a writable or remotely controlled path, the attacker can achieve arbitrary code execution on the host. Full confidentiality, integrity, and availability of the affected WordPress instance and any data it can access are at risk.

Back to search

HIGHCVE-2026-39523Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-39523: WordPress Solene Core plugin <= 2.3.2 - Local File Inclusion vulnerability

Q: What is CVE-2026-39523?

Local File Inclusion is a vulnerability where an attacker can force a server-side application to read and expose files from the host filesystem, and in some configurations execute arbitrary code. The Solene Core WordPress plugin (versions 2.3.2 and below) is affected, reachable over the network with no authentication required, though exploitation requires meeting certain environmental or timing conditions reflected in the High attack complexity rating. Successful exploitation gives an attacker the ability to read sensitive server-side files, potentially modify data, or disrupt service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-39523 patched?

No upstream fix version has been published for this CVE. HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. In the meantime, customers with compensating-control policies configured can receive network-isolation or egress-filtering recommendations surfaced in the findings detail view.

Unauthenticated Local File Inclusion in Solene Core <= 2.3.2 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Local File Inclusion is a vulnerability where an attacker can force a server-side application to read and expose files from the host filesystem, and in some configurations execute arbitrary code. The Solene Core WordPress plugin (versions 2.3.2 and below) is affected, reachable over the network with no authentication required, though exploitation requires meeting certain environmental or timing conditions reflected in the High attack complexity rating. Successful exploitation gives an attacker the ability to read sensitive server-side files, potentially modify data, or disrupt service availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-39523 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack, covering both public base images and custom-built WordPress images. Any image containing the Solene Core plugin at version 2.3.2 or below is flagged automatically across connected registries and CI/CD pipelines.

Available

Triage

HarborGuard scores this CVE at 8.1 HIGH using the published CVSS v3.1 vector and weights findings against each customer organization's active compliance policy to determine priority and routing. Triage alerts are directed to the appropriate team inbox within each customer org based on configured escalation rules.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. In the meantime, customers with compensating-control policies configured can receive network-isolation or egress-filtering recommendations surfaced in the findings detail view.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress service over the network; no local or physical access to the host is needed.
AuthenticationNot required
No account or session credential is required; the vulnerable code path is reachable by any unauthenticated HTTP request.
Victim interactionNot required
No user action such as clicking a link or visiting a page is needed to trigger the vulnerability.
Attack complexityDetail
Attack complexity is rated High, meaning the attacker must satisfy specific environmental conditions, configuration states, or timing factors to reliably trigger the file inclusion.

Blast Radius

Reads arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials and secret keys.
Reads operating system files such as /etc/passwd, application logs, or private keys accessible to the web server process.
In configurations where file inclusion can reach a writable or remotely controlled path, the attacker can achieve arbitrary code execution on the host.
Full confidentiality, integrity, and availability of the affected WordPress instance and any data it can access are at risk.

How HarborGuard Handles This

Available on HarborGuard: images containing the Solene Core plugin at or below version 2.3.2 are flagged as HIGH severity the moment the CVE enters HarborGuard's feed, typically within minutes of upstream publication. Because no fix version exists yet, HarborGuard monitors the Patchstack advisory on every ingest cycle and will trigger an automatic patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run and PR opened against affected workloads, as soon as the upstream maintainer publishes a remediated release. While waiting for a patch, HarborGuard surfaces compensating-control recommendations including network-policy isolation to restrict external access to the WordPress instance, egress filtering to limit outbound file-read side channels, and feature-flag or plugin-deactivation options where the hosting environment supports them. Customers whose compliance policies flag unpatched HIGH-severity findings for manual review will see this CVE routed to the appropriate team inbox automatically.

See how HarborGuard automates this

Affected packages

Elated-Themes / Solene Core
≤ 2.3.2

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified