How is CVE-2026-48972 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the service via HTTP or HTTPS. Authentication (required): Any low-privilege WordPress account is sufficient; no administrative access is needed. Victim interaction (not-required): The attacker does not need to trick any user into taking an action; exploitation is direct. Attack complexity (info): Attack complexity is high, meaning the attacker must satisfy specific conditions such as particular server configuration or file layout before the inclusion can be triggered reliably.

What is the impact of CVE-2026-48972?

Reads arbitrary files from the server filesystem, including WordPress configuration files containing database credentials and secret keys. Executes attacker-controlled PHP logic by including a crafted local file, enabling full remote code execution on the host. Modifies application data or writes files to the filesystem if the web server process has write permissions. Crashes or destabilizes the affected service by including a malformed or resource-exhausting file.

Back to search

HIGHCVE-2026-48972Published 2026-05-27Modified 2026-05-27CNA Patchstack

CVE-2026-48972: WordPress SeedProd Pro plugin < 6.19.5 - Local File Inclusion vulnerability

Q: What is CVE-2026-48972?

This is a PHP Local File Inclusion vulnerability in the SeedProd Pro WordPress plugin affecting versions before 6.19.5. An authenticated attacker with a low-privilege account can reach the vulnerable code over the network, and under the right conditions, force the server to include and execute arbitrary PHP files from the local filesystem. Successful exploitation gives the attacker full read, write, and availability impact on the affected host. A patched-image rebuild at version 6.19.5 is available on HarborGuard for environments running an affected version of SeedProd Pro.

Q: How is CVE-2026-48972 fixed?

A patched-image rebuild at SeedProd Pro version 6.19.5 becomes available through HarborGuard for any environment where an affected version is detected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SeedProd LLC SeedProd Pro allows PHP Local File Inclusion. This issue affects SeedProd Pro: from n/a before 6.19.5.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a PHP Local File Inclusion vulnerability in the SeedProd Pro WordPress plugin affecting versions before 6.19.5. An authenticated attacker with a low-privilege account can reach the vulnerable code over the network, and under the right conditions, force the server to include and execute arbitrary PHP files from the local filesystem. Successful exploitation gives the attacker full read, write, and availability impact on the affected host. A patched-image rebuild at version 6.19.5 is available on HarborGuard for environments running an affected version of SeedProd Pro.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-48972 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds including Patchstack. Coverage extends to custom-built images containing bundled WordPress plugin installations, not just images pulled from public registries.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and can weight that score against each customer organization's compliance policy to adjust priority. Triage alerts are routed to the inbox configured for the relevant team within each customer environment.

Available

Patch

A patched-image rebuild at SeedProd Pro version 6.19.5 becomes available through HarborGuard for any environment where an affected version is detected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the service via HTTP or HTTPS.
AuthenticationRequired
Any low-privilege WordPress account is sufficient; no administrative access is needed.
Victim interactionNot required
The attacker does not need to trick any user into taking an action; exploitation is direct.
Attack complexityDetail
Attack complexity is high, meaning the attacker must satisfy specific conditions such as particular server configuration or file layout before the inclusion can be triggered reliably.

Blast Radius

Reads arbitrary files from the server filesystem, including WordPress configuration files containing database credentials and secret keys.
Executes attacker-controlled PHP logic by including a crafted local file, enabling full remote code execution on the host.
Modifies application data or writes files to the filesystem if the web server process has write permissions.
Crashes or destabilizes the affected service by including a malformed or resource-exhausting file.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-48972 is active across all connected environments, matching affected SeedProd Pro versions in both pulled and custom-built images within minutes of CVE publication. For environments where an affected version is identified, a patched-image rebuild at version 6.19.5 is available immediately. Customers with auto-remediation enabled receive a full rebuild, a regression-test run, and a pull request opened against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in those environments. Where auto-remediation is not enabled, HarborGuard surfaces the finding with CVSS context and version pinning guidance so engineering teams can act directly. Until a rebuild is deployed, compensating controls such as network-policy rules restricting unauthenticated or low-privilege access to the plugin's endpoints are worth considering as a short-term measure.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 6.19.5
Affected Products: 1

Fix available

6.19.5

Affected packages

SeedProd LLC / SeedProd Pro
< 6.19.5 (from n/a)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available