CVE-2026-39582: WordPress Hitek theme < 1.8.3 - Local File Inclusion vulnerability
Unauthenticated Local File Inclusion in Hitek < 1.8.3 versions.
Metrics
- CVSS v3.1
- 8.1
- Severity
- HIGH
- Fixed in
- 1.8.3
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a Local File Inclusion (LFI) vulnerability in the WordPress Hitek theme by xtemos, affecting all versions below 1.8.3. The flaw is reachable over the network and requires no authentication, meaning any remote visitor can trigger it. Successful exploitation gives an attacker full read access to arbitrary files on the server, the ability to tamper with data, and the ability to crash or destabilize the service. A patched-image rebuild at version 1.8.3 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-39582 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built WordPress images that bundle the Hitek theme. Both registry scans and CI pipeline checks are capable of surfacing affected Hitek versions below 1.8.3.
AvailableHarborGuard scores this CVE at 8.1 HIGH using the CVSS v3.1 vector and is capable of weighting that score against each customer org's compliance policy to determine urgency. Triage findings are routed to the appropriate team inbox within each customer environment based on image ownership and policy configuration.
AvailableA patched-image rebuild at Hitek version 1.8.3 is available on HarborGuard for any environment found running an affected version. For customers who opt into auto-remediation, HarborGuard is capable of executing the rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress service via HTTP or HTTPS.
- AuthenticationNot required
No account or session token is needed; the exploit can be triggered by any unauthenticated HTTP request.
- Victim interactionNot required
The attacker does not need to trick or involve any user; the request is sent directly to the server.
- Attack complexityDetail
Attack complexity is rated High, meaning exploitation depends on environmental conditions such as specific server configurations or race conditions that the attacker cannot fully control.
Blast Radius
- A successful attacker reads arbitrary files from the server filesystem, including configuration files that contain database credentials and API keys.
- The attacker gains the ability to modify or overwrite data accessible to the web server process.
- The attacker can disrupt or crash the affected WordPress service, causing an outage for end users.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-39582 runs against all images in customer registries and pipelines as soon as the advisory is ingested, covering custom-built images that include the Hitek theme. For environments running a version of Hitek below 1.8.3, a rebuild at the fixed version 1.8.3 is available. For customers who opt into auto-remediation, HarborGuard is capable of triggering the rebuild, executing regression tests, and opening a patch PR against affected workloads; for high-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, findings are surfaced in the triage queue with the CVSS 8.1 HIGH score and remediation guidance attached for manual action.
Fix available
- xtemos / Hitek< 1.8.3 (from n/a)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H