Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Medilink-Core medilink-core allows PHP Local File Inclusion.This issue affects Medilink-Core: from n/a through < 2.0.7.
Published: 2026-03-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists due to improper validation of file names in the include/require statements within the RadiusTheme Medilink‑Core plugin. It enables an attacker to force the plugin to include an arbitrary local file on the server, potentially leaking sensitive data or configuration files. The flaw is classified as CWE‑98 and could allow attackers to read any accessible files, which may lead to further compromise if the disclosed files contain credentials or other secrets.

Affected Systems

Affected product is the Medilink‑Core plugin for WordPress by RadiusTheme. The vulnerability applies to all released versions from the initial release up through any version prior to 2.0.7. No specific sub‑release information is provided beyond the < 2.0.7 boundary.

Risk and Exploitability

The CVSS score of 7.5 denotes high severity, indicating significant potential impact if exploited. The EPSS score is below 1 %, pointing to a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is web based, where a user can supply a malicious parameter in a request that is not sanitized before inclusion. Exploitation requires only local file inclusion and does not require elevated privileges, making it accessible to attackers with network reach to the WordPress site.

Generated by OpenCVE AI on March 17, 2026 at 16:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Medilink‑Core to version 2.0.7 or later
  • If an update is not possible, disable the Medilink‑Core plugin until a patched version is available

Generated by OpenCVE AI on March 17, 2026 at 16:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Radiustheme
Radiustheme medilink-core
Wordpress
Wordpress wordpress
Vendors & Products Radiustheme
Radiustheme medilink-core
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Medilink-Core medilink-core allows PHP Local File Inclusion.This issue affects Medilink-Core: from n/a through < 2.0.7.
Title WordPress Medilink-Core plugin < 2.0.7 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Radiustheme Medilink-core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:00.656Z

Reserved: 2026-03-12T11:10:59.411Z

Link: CVE-2026-32369

cve-icon Vulnrichment

Updated: 2026-03-16T14:35:32.984Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:51.220

Modified: 2026-03-16T15:16:23.227

Link: CVE-2026-32369

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:58:49Z

Weaknesses