How is CVE-2026-54814 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress instance via HTTP or HTTPS to attempt exploitation. Authentication (not-required): No account or session credential is needed; the attacker can trigger the inclusion flaw as an unauthenticated visitor. Victim interaction (not-required): The attacker does not need to trick or involve any user; exploitation is driven entirely by the attacker's own requests. Attack complexity (info): Complexity is rated High, meaning the attacker must satisfy specific environmental or configuration conditions, such as a particular server setup or race condition, rather than firing a simple, always-reliable exploit.

What is the impact of CVE-2026-54814?

A successful attacker can read arbitrary files from the server filesystem, exposing WordPress configuration files, database credentials, and private application secrets. The attacker can tamper with application state or inject malicious PHP by leveraging the inclusion primitive, modifying persisted content or introducing backdoors. Full service disruption is within reach, allowing the attacker to crash or destabilize the WordPress instance and make it unavailable to legitimate users. If the web server process has broad filesystem permissions, the blast radius extends beyond the WordPress installation to other files and services co-located on the same host.

Back to search

HIGHCVE-2026-54814Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-54814: WordPress Motors plugin <= 1.4.109 - Local File Inclusion vulnerability

Q: What is CVE-2026-54814?

A Local File Inclusion vulnerability affects the StylemixThemes Motors WordPress plugin at version 1.4.109 and earlier. The flaw is reachable over the network without any authentication, though exploitation requires meeting specific conditions that make it less than trivially repeatable. A successful attacker can read sensitive files from the server, tamper with application data, and disrupt service availability, achieving full confidentiality, integrity, and availability impact on the affected host. HarborGuard is tracking the advisory for patch availability, as no fix version has been published yet.

Q: Is CVE-2026-54814 patched?

Because no fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a remediated release. In the meantime, customers can apply compensating controls through HarborGuard's policy engine to flag or block deployment of images carrying the affected plugin version.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors allows PHP Local File Inclusion. This issue affects Motors: from n/a through 1.4.109.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A Local File Inclusion vulnerability affects the StylemixThemes Motors WordPress plugin at version 1.4.109 and earlier. The flaw is reachable over the network without any authentication, though exploitation requires meeting specific conditions that make it less than trivially repeatable. A successful attacker can read sensitive files from the server, tamper with application data, and disrupt service availability, achieving full confidentiality, integrity, and availability impact on the affected host. HarborGuard is tracking the advisory for patch availability, as no fix version has been published yet.

HarborGuard Coverage

Detection

Detection of CVE-2026-54814 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds including Patchstack, NVD, and vendor advisories. Coverage extends to custom-built images that bundle the Motors plugin, not just upstream base images pulled from public registries.

Available

Triage

Triage is available with a CVSS v3.1 score of 8.1 (HIGH), weighted against each customer organization's configured compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer org based on image ownership and policy thresholds.

Available

Patch

Because no fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a remediated release. In the meantime, customers can apply compensating controls through HarborGuard's policy engine to flag or block deployment of images carrying the affected plugin version.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress instance via HTTP or HTTPS to attempt exploitation.
AuthenticationNot required
No account or session credential is needed; the attacker can trigger the inclusion flaw as an unauthenticated visitor.
Victim interactionNot required
The attacker does not need to trick or involve any user; exploitation is driven entirely by the attacker's own requests.
Attack complexityDetail
Complexity is rated High, meaning the attacker must satisfy specific environmental or configuration conditions, such as a particular server setup or race condition, rather than firing a simple, always-reliable exploit.

Blast Radius

A successful attacker can read arbitrary files from the server filesystem, exposing WordPress configuration files, database credentials, and private application secrets.
The attacker can tamper with application state or inject malicious PHP by leveraging the inclusion primitive, modifying persisted content or introducing backdoors.
Full service disruption is within reach, allowing the attacker to crash or destabilize the WordPress instance and make it unavailable to legitimate users.
If the web server process has broad filesystem permissions, the blast radius extends beyond the WordPress installation to other files and services co-located on the same host.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-54814 at this time, HarborGuard continuously re-checks the Patchstack and NVD advisory feeds on every ingest cycle and will automatically make a patched-image rebuild available the moment StylemixThemes publishes a remediated release of the Motors plugin. While no patch is available, customers are encouraged to use HarborGuard's policy engine to enforce a block or warn gate on any image carrying the Motors plugin at version 1.4.109 or earlier, preventing those images from being promoted to production. Additional compensating controls worth considering include network-policy isolation to restrict public access to the WordPress admin surface, egress filtering to limit outbound connections from the container, and disabling any plugin feature flags that invoke dynamic file inclusion. HarborGuard will surface a notification and trigger the rebuild-and-PR flow, gated on each customer's auto-remediation settings, as soon as a fix version is confirmed.

See how HarborGuard automates this

Affected packages

StylemixThemes / Motors
≤ 1.4.109

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified