How is CVE-2026-39553 exploited?

Network reachability (required): The vulnerable theme endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS to send a crafted request. Authentication (not-required): No account or session token is needed; the file inclusion parameter can be triggered by an unauthenticated request. Victim interaction (not-required): Exploitation is fully server-side and requires no action from any logged-in user or administrator. Attack complexity (info): Attack complexity is rated High, meaning the attacker must account for specific environmental conditions, such as predictable file paths, writable directories, or particular server configurations, before the inclusion can be weaponized reliably.

What is the impact of CVE-2026-39553?

An attacker can read arbitrary files on the server, including WordPress wp-config.php credentials, private keys, and other secrets stored on the filesystem. An attacker can achieve code execution by including a PHP file already present on the host, allowing full control over the WordPress process and its runtime environment. Database credentials exposed through file read can be used to modify or delete persisted WordPress content, user records, and configuration rows. The process running WordPress can be crashed or rendered unresponsive through inclusion of a malformed or resource-exhausting file, taking the site offline.

Back to search

HIGHCVE-2026-39553Published 2026-06-02Modified 2026-06-02CNA Patchstack

CVE-2026-39553: WordPress WaveRide theme <= 1.4 - Local File Inclusion vulnerability

Q: What is CVE-2026-39553?

Local File Inclusion (LFI) is a class of vulnerability where an attacker manipulates a file path parameter to force the application to load and execute a file already present on the server. The WaveRide WordPress theme by Select-Themes, versions 1.4 and earlier, contains such a flaw reachable over the network with no authentication required, though exploitation requires meeting certain environmental conditions reflected in the high attack complexity rating. Successful exploitation gives an attacker full read and write access to the underlying host and can crash the service entirely. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-39553 patched?

No fix version has been published by Select-Themes as of the CVE publication date, so no patched-image rebuild is currently available. HarborGuard re-checks the advisory on every ingest cycle and will make a patched rebuild available, along with a PR opened against affected workloads for customers with auto-remediation enabled, the moment an upstream fix is released.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes WaveRide allows PHP Local File Inclusion. This issue affects WaveRide: from n/a through 1.4.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Local File Inclusion (LFI) is a class of vulnerability where an attacker manipulates a file path parameter to force the application to load and execute a file already present on the server. The WaveRide WordPress theme by Select-Themes, versions 1.4 and earlier, contains such a flaw reachable over the network with no authentication required, though exploitation requires meeting certain environmental conditions reflected in the high attack complexity rating. Successful exploitation gives an attacker full read and write access to the underlying host and can crash the service entirely. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-39553 is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory feed, within minutes of publication and matched against customer images running the WaveRide theme, including custom-built WordPress images that bundle the theme. No manual feed configuration is required for coverage to apply.

Available

Triage

HarborGuard scores this CVE at CVSS 8.1 HIGH (v3.1) and is capable of weighting that score against each customer environment's compliance policy to determine urgency and route the finding to the appropriate team inbox within the customer org. Per-environment context, such as whether the affected theme is exposed publicly or sits behind an internal proxy, can further refine triage priority.

Available

Patch

No fix version has been published by Select-Themes as of the CVE publication date, so no patched-image rebuild is currently available. HarborGuard re-checks the advisory on every ingest cycle and will make a patched rebuild available, along with a PR opened against affected workloads for customers with auto-remediation enabled, the moment an upstream fix is released.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable theme endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS to send a crafted request.
AuthenticationNot required
No account or session token is needed; the file inclusion parameter can be triggered by an unauthenticated request.
Victim interactionNot required
Exploitation is fully server-side and requires no action from any logged-in user or administrator.
Attack complexityDetail
Attack complexity is rated High, meaning the attacker must account for specific environmental conditions, such as predictable file paths, writable directories, or particular server configurations, before the inclusion can be weaponized reliably.

Blast Radius

An attacker can read arbitrary files on the server, including WordPress wp-config.php credentials, private keys, and other secrets stored on the filesystem.
An attacker can achieve code execution by including a PHP file already present on the host, allowing full control over the WordPress process and its runtime environment.
Database credentials exposed through file read can be used to modify or delete persisted WordPress content, user records, and configuration rows.
The process running WordPress can be crashed or rendered unresponsive through inclusion of a malformed or resource-exhausting file, taking the site offline.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-39553 as of publication, HarborGuard continuously monitors the Patchstack advisory and upstream Select-Themes release channels on every ingest cycle. As a compensating control while awaiting a patch, customers can use HarborGuard network-policy recommendations to restrict inbound HTTP access to WaveRide-powered endpoints to known trusted IP ranges, apply egress filtering to prevent the PHP process from loading unexpected local paths through web-accessible directories, and flag images containing WaveRide 1.4 or earlier as policy-blocked in staging and production pipelines until a fix ships. For customers with auto-remediation enabled, a patched-image rebuild and regression run will be triggered automatically and a PR opened against affected workloads the moment an upstream fix version is published.

See how HarborGuard automates this

Affected packages

Select-Themes / WaveRide
≤ 1.4

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified