CVE-2026-39549: WordPress Aperitif theme <= 1.5 - Local File Inclusion vulnerability
Unauthenticated Local File Inclusion in Aperitif <= 1.5 versions.
Metrics
- CVSS v3.1
- 8.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A local file inclusion (LFI) vulnerability affects the Aperitif WordPress theme by Elated-Themes at version 1.5 and below. The flaw is reachable over the network without any authentication, meaning any external party can trigger it. Successful exploitation gives an attacker full read and write access to files on the server and can result in remote code execution, data theft, or complete service disruption. No upstream fix has been published; HarborGuard is tracking the advisory and will surface a patched rebuild the moment one becomes available.
HarborGuard Coverage
Detection of CVE-2026-39549 is available across every HarborGuard environment. Images containing the Aperitif theme at version 1.5 or earlier are matched against this CVE within minutes of feed ingestion, covering both third-party base images and custom-built images in connected registries and CI pipelines.
AvailableTriage is available with CVSS 8.1 (HIGH) scoring applied automatically, surfacing this issue at a priority level consistent with customer compliance policy weighting. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableBecause no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment Elated-Themes publishes a remediated release. In the meantime, compensating controls such as network policy isolation and egress filtering can be applied to limit exposure for affected workloads.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerability is reachable over the public network; an attacker does not need local or physical access to the host.
- AuthenticationNot required
No account or session credential of any privilege level is needed to trigger the vulnerability.
- Victim interactionNot required
The attacker does not need to manipulate or involve any user to carry out the attack.
- Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must account on specific race conditions, environmental factors, or particular server configurations to succeed reliably.
Blast Radius
- Reads arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials and secret keys.
- Writes or overwrites files on the server, enabling injection of malicious code into theme or plugin files.
- Achieves remote code execution by including a remotely or locally staged payload through the inclusion flaw.
- Crashes or destabilizes the WordPress application, resulting in service disruption for end users.
How HarborGuard Handles This
Available on HarborGuard: images running the Aperitif theme at version 1.5 or below are flagged automatically at HIGH severity as soon as the CVE is matched during each scan cycle. Because no fix version exists yet, HarborGuard monitors the Patchstack advisory feed on every ingest pass and will surface a patched-image rebuild the moment an upstream release is available. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention. While waiting for an upstream patch, recommended compensating controls include applying Kubernetes network policies to restrict inbound traffic to WordPress pods, enabling web application firewall rules that block directory traversal and file inclusion patterns, and auditing PHP include paths in the theme's codebase to gate the vulnerable parameter on a strict allowlist.
- Elated-Themes / Aperitif≤ 1.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H