How is CVE-2026-39559 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS to exploit this flaw. Authentication (not-required): No account or session credential of any kind is needed; the exploit is available to any unauthenticated visitor who can reach the service. Victim interaction (not-required): The attacker does not need to trick or involve any user; the exploit is fully self-contained and requires no action from a logged-in user or administrator. Attack complexity (info): Exploitation is rated high complexity, meaning the attacker must meet specific environmental or timing conditions, such as correctly predicting file paths or chaining with other server-side behaviors, rather than firing a simple repeatable payload.

What is the impact of CVE-2026-39559?

A successful attacker reads arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials, secret keys, and API tokens. The attacker can tamper with application data or inject content by leveraging included files that are executed server-side, potentially modifying persisted records or site behavior. Full availability impact means the attacker can crash or render the affected WordPress installation completely unresponsive.

Back to search

HIGHCVE-2026-39559Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-39559: WordPress Uppercase theme < 1.2.2 - Local File Inclusion vulnerability

Q: What is CVE-2026-39559?

A local file inclusion vulnerability exists in the WordPress Uppercase theme prior to version 1.2.2. Reachable over the network with no authentication required, an attacker can manipulate file path inputs to force the server to load arbitrary files from the host filesystem. Successful exploitation gives the attacker full read access to sensitive server files, the ability to tamper with data, and can bring down the affected service entirely. A patched-image rebuild at version 1.2.2 is available on HarborGuard for environments running an affected version.

Q: How is CVE-2026-39559 fixed?

A patched-image rebuild based on Uppercase version 1.2.2 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Unauthenticated Local File Inclusion in Uppercase < 1.2.2 versions.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: 1.2.2
Affected Products: 1

HarborGuard Analysis

Synopsis

A local file inclusion vulnerability exists in the WordPress Uppercase theme prior to version 1.2.2. Reachable over the network with no authentication required, an attacker can manipulate file path inputs to force the server to load arbitrary files from the host filesystem. Successful exploitation gives the attacker full read access to sensitive server files, the ability to tamper with data, and can bring down the affected service entirely. A patched-image rebuild at version 1.2.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-39559 is available across every HarborGuard environment; the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Uppercase theme. Any image found to include a version of the Uppercase theme below 1.2.2 is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 8.1 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Findings are delivered to the appropriate team inbox within each customer organization based on policy-defined severity thresholds and image ownership rules.

Available

Patch

A patched-image rebuild based on Uppercase version 1.2.2 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the WordPress installation via HTTP or HTTPS to exploit this flaw.
AuthenticationNot required
No account or session credential of any kind is needed; the exploit is available to any unauthenticated visitor who can reach the service.
Victim interactionNot required
The attacker does not need to trick or involve any user; the exploit is fully self-contained and requires no action from a logged-in user or administrator.
Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must meet specific environmental or timing conditions, such as correctly predicting file paths or chaining with other server-side behaviors, rather than firing a simple repeatable payload.

Blast Radius

A successful attacker reads arbitrary files from the server filesystem, including WordPress configuration files that contain database credentials, secret keys, and API tokens.
The attacker can tamper with application data or inject content by leveraging included files that are executed server-side, potentially modifying persisted records or site behavior.
Full availability impact means the attacker can crash or render the affected WordPress installation completely unresponsive.

How HarborGuard Handles This

Available on HarborGuard: any container image bundling the Uppercase WordPress theme below version 1.2.2 is detectable the moment the CVE enters upstream feeds, with matching running continuously against images in customer registries and CI pipelines. For customers who opt into auto-remediation, HarborGuard queues a rebuild at version 1.2.2, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with full CVSS context and affected-image inventory attached. Compensating controls available in the interim include network-policy rules that restrict public access to the WordPress installation, egress filtering to limit what the server can read or return, and disabling the specific theme feature that handles dynamic file path input if the theme supports feature-flag gating.

See how HarborGuard automates this

Fix available

1.2.2

Affected packages

codesupplyco / Uppercase
< 1.2.2 (from n/a)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available