How is CVE-2026-39547 exploited?

Network reachability (required): The vulnerable theme endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS. Authentication (not-required): No account or credentials are needed; the vulnerability is exploitable by any unauthenticated network request. Victim interaction (not-required): No user action or social engineering is needed; the attacker sends requests directly to the server without any victim involvement. Attack complexity (info): Exploitation is rated high complexity, meaning the attacker must account on specific environmental conditions, such as particular server configurations or file-path constraints, before the inclusion can be triggered reliably.

What is the impact of CVE-2026-39547?

A successful attacker reads arbitrary files on the web server, including WordPress configuration files that contain database credentials and secret keys. The attacker can tamper with or overwrite files accessible to the web server process, modifying theme files, plugins, or application data. If the server is configured to execute included files (for example through PHP wrappers), the attacker gains remote code execution on the host. In a worst-case scenario, full compromise of the web server process crashes or destabilizes the WordPress service, causing an outage.

Back to search

HIGHCVE-2026-39547Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-39547: WordPress Getaway theme < 1.8 - Local File Inclusion vulnerability

Q: What is CVE-2026-39547?

A local file inclusion vulnerability affects the WordPress Getaway theme by Select-Themes in versions before 1.8. The flaw is reachable over the network without any authentication, though exploitation requires meeting certain environmental conditions. A successful attacker can read, and potentially execute, arbitrary files on the server, leading to full confidentiality loss, data tampering, and service disruption. A patched-image rebuild at version 1.8 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-39547 fixed?

A patched-image rebuild at Getaway version 1.8 becomes available through HarborGuard once an affected image is identified. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads without requiring manual intervention.

Unauthenticated Local File Inclusion in Getaway < 1.8 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 1.8
Affected Products: 1

HarborGuard Analysis

Synopsis

A local file inclusion vulnerability affects the WordPress Getaway theme by Select-Themes in versions before 1.8. The flaw is reachable over the network without any authentication, though exploitation requires meeting certain environmental conditions. A successful attacker can read, and potentially execute, arbitrary files on the server, leading to full confidentiality loss, data tampering, and service disruption. A patched-image rebuild at version 1.8 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images and pipeline builds, including custom-built WordPress images that bundle the Getaway theme. Any image containing a Getaway theme version below 1.8 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.1 HIGH using the CVSS v3.1 vector and weights it against each customer organization's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within each customer environment based on configured ownership rules.

Available

Patch

A patched-image rebuild at Getaway version 1.8 becomes available through HarborGuard once an affected image is identified. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads without requiring manual intervention.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable theme endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
AuthenticationNot required
No account or credentials are needed; the vulnerability is exploitable by any unauthenticated network request.
Victim interactionNot required
No user action or social engineering is needed; the attacker sends requests directly to the server without any victim involvement.
Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must account on specific environmental conditions, such as particular server configurations or file-path constraints, before the inclusion can be triggered reliably.

Blast Radius

A successful attacker reads arbitrary files on the web server, including WordPress configuration files that contain database credentials and secret keys.
The attacker can tamper with or overwrite files accessible to the web server process, modifying theme files, plugins, or application data.
If the server is configured to execute included files (for example through PHP wrappers), the attacker gains remote code execution on the host.
In a worst-case scenario, full compromise of the web server process crashes or destabilizes the WordPress service, causing an outage.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image bundling Getaway below version 1.8, including custom-built WordPress images. For customers who opt into auto-remediation, HarborGuard rebuilds the image at version 1.8, runs a regression test, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in environments with auto-remediation enabled is around 90 minutes. For customers who manage patching manually, the finding is routed to the configured team inbox with the CVSS 8.1 HIGH score and compliance-policy weighting attached. As an interim compensating control before patching, customers can apply network policy rules to restrict public access to the WordPress file-inclusion endpoints, or use a web application firewall rule to block requests that carry path-traversal patterns targeting the Getaway theme.

See how HarborGuard automates this

Fix available

1.8

Affected packages

Select-Themes / Getaway
< 1.8 (from n/a)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available