Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in redqteam Turbo Manager turbo-manager allows PHP Local File Inclusion.This issue affects Turbo Manager: from n/a through < 4.0.8.
Published: 2026-03-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion with potential Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Turbo Manager is an improper control of the filename used in PHP include/require statements, allowing an attacker to trigger Local File Inclusion. When an attacker can supply a crafted file path, the application can include local files, potentially enabling execution of arbitrary PHP code and remote code execution. This weakness is identified as CWE-98.

Affected Systems

The affected product is the Turbo Manager plugin from redqteam. All releases from the initial version up to, but not including, 4.0.8 are impacted. The exact range of affected versions is specified as "n/a through < 4.0.8".

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1% suggests that current exploitation activity is low. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector involves a web request to the vulnerable plugin’s endpoint that allows a file path parameter; based on the description it is inferred that an attacker can manipulate this parameter to cause the include operation to load arbitrary local files.

Generated by OpenCVE AI on March 17, 2026 at 16:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Turbo Manager plugin to version 4.0.8 or later.
  • If an immediate upgrade is not possible, disable or uninstall the Turbo Manager plugin to eliminate the vulnerability.
  • Restrict filesystem permissions on the server so that the web application cannot read arbitrary files outside the WordPress installation.
  • Deploy application layer firewall rules that block or log attempts to use directory traversal or local file inclusion patterns against WordPress plugins.
  • Monitor web server and application logs for suspicious include requests or errors related to file inclusion.

Generated by OpenCVE AI on March 17, 2026 at 16:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Redqteam
Redqteam turbo Manager
Wordpress
Wordpress wordpress
Vendors & Products Redqteam
Redqteam turbo Manager
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in redqteam Turbo Manager turbo-manager allows PHP Local File Inclusion.This issue affects Turbo Manager: from n/a through < 4.0.8.
Title WordPress Turbo Manager plugin < 4.0.8 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Redqteam Turbo Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:59.596Z

Reserved: 2026-03-12T11:10:53.774Z

Link: CVE-2026-32364

cve-icon Vulnrichment

Updated: 2026-03-17T13:38:45.894Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:50.447

Modified: 2026-03-17T14:16:15.760

Link: CVE-2026-32364

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:58:53Z

Weaknesses