Description
Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions.
Published: 2026-06-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Local File Inclusion flaw is present in WordPress Goya Core plugin versions prior to 1.0.9.4. The vulnerability allows an attacker to load arbitrary files from the server into the web context, potentially exposing sensitive configuration files, credentials, or enabling the execution of malicious code. This weakness is classified as CWE-98, which directly affects confidentiality and integrity of the affected site.

Affected Systems

WordPress sites that use the Goya Core plugin from the Everthemess project, specifically any installation running a plugin version older than 1.0.9.4. No other vendor or product is affected by this particular LFI bug.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a web-based request that manipulates the plugin’s file inclusion logic; it can be exploited by an attacker with network access to the WordPress installation. The lack of audience-targeting or privilege escalation details suggests the impact is primarily local to the web application, but it can still lead to significant data exposure or further compromise.

Generated by OpenCVE AI on June 26, 2026 at 16:21 UTC.

Remediation

Vendor Solution

Update the WordPress Goya Core Plugin to the latest available version (at least 1.0.9.4).

OpenCVE Recommended Actions

  • Update the Goya Core plugin to version 1.0.9.4 or later
  • If an update is not immediately possible, uninstall or deactivate the vulnerable plugin to block the inclusion path
  • After making changes, re‑scan for other LFI weaknesses and monitor site logs for suspicious file-access attempts

Generated by OpenCVE AI on June 26, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions.
Title WordPress Goya Core plugin < 1.0.9.4 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:39:21.992Z

Reserved: 2025-12-15T10:01:19.544Z

Link: CVE-2025-68064

cve-icon Vulnrichment

Updated: 2026-06-26T15:39:18.132Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T16:30:03Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')