CVE-2026-39568: WordPress Mr. SEO theme <= 2.0 - Local File Inclusion vulnerability
Unauthenticated Local File Inclusion in Mr. SEO <= 2.0 versions.
Metrics
- CVSS v3.1
- 8.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a Local File Inclusion (LFI) vulnerability in the Mr. SEO WordPress theme by Elated-Themes, affecting all versions up to and including 2.0. The flaw is reachable over the network without any authentication, though exploitation requires overcoming certain environmental conditions (high attack complexity per the CVSS rating). A successful attacker can read sensitive files from the server, tamper with data, and disrupt service availability. HarborGuard tracks this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle the Mr. SEO theme or WordPress installations derived from it.
AvailableHarborGuard is capable of scoring this finding at CVSS 8.1 (HIGH) and weighting it against each customer environment's compliance policy, then routing the alert to the appropriate team inbox within the customer org for review and prioritization.
AvailableBecause no fix version has been published by Elated-Themes, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention once a fix version exists.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress service over the network; no local or physical access is needed.
- AuthenticationNot required
No account or session token is needed; the vulnerable code path is accessible to unauthenticated HTTP requests.
- Victim interactionNot required
No user action is required; the attacker interacts directly with the server without involving any end-user.
- Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must account for specific environmental conditions or configuration factors that are not fully under their control.
Blast Radius
- A successful attacker can read arbitrary files from the server filesystem, including WordPress configuration files containing database credentials and secret keys.
- Sensitive files such as /etc/passwd, application secrets, or private certificates stored on the host become readable.
- With high integrity impact confirmed by the CVSS score, an attacker can modify or overwrite server-side content or configuration.
- The availability impact is rated high, meaning the attacker can crash or render the affected WordPress service unresponsive.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-39568 is active across customer scanning environments as of the CVE publication date (2026-06-16). Because no upstream fix exists at this time, HarborGuard monitors the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically once Elated-Themes ships a remediated version of Mr. SEO. In the interim, customers can apply compensating controls: network-policy rules that restrict public HTTP access to WordPress deployments running this theme, egress filtering to limit server-side file access exposure, and disabling or uninstalling the Mr. SEO theme where it is not required. For customers with auto-remediation enabled, the rebuild, regression run, and PR flow will trigger without manual action the moment a fix version is published.
- Elated-Themes / Mr. SEO≤ 2.0
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H