Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themelexus Medilazar Core medilazar-core allows PHP Local File Inclusion.This issue affects Medilazar Core: from n/a through < 1.4.7.
Published: 2026-03-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The Medilazar Core plugin for WordPress contains an improper control of filename when using PHP's include/require statements, resulting in a local file inclusion (LFI) flaw. An attacker can supply a crafted file path that the plugin blindly includes, potentially revealing sensitive files or executing arbitrary PHP code if the attacker can provide a PHP file. This weakness corresponds to CWE-98 and threatens confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

This vulnerability affects all releases of the Medilazar Core plugin from the first available version up to, but excluding, version 1.4.7. WordPress sites using any of these earlier versions of the plugin, regardless of theme or host, are potentially impacted. The affected product is the Medilazar Core plugin developed by themelexus.

Risk and Exploitability

The CVSS score of 7.5 marks it as high severity, while the EPSS score of less than 1% suggests a low current exploitation probability and it is not listed in the CISA KEV catalog. The likely attack vector is through an LFI that can be triggered by manipulating a user-supplied filename parameter or similar input. Security teams should treat this as a high‑risk vulnerability and prioritize patching or hardening measures.

Generated by OpenCVE AI on March 19, 2026 at 15:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Medilazar Core plugin to version 1.4.7 or later
  • If immediate update is not possible, restrict access to the plugin's affected file inclusions using file access controls or input validation
  • Verify that all WordPress installations are running the patched version and that no unpatched copies remain

Generated by OpenCVE AI on March 19, 2026 at 15:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Themelexus
Themelexus medilazar Core
Wordpress
Wordpress wordpress
Vendors & Products Themelexus
Themelexus medilazar Core
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themelexus Medilazar Core medilazar-core allows PHP Local File Inclusion.This issue affects Medilazar Core: from n/a through < 1.4.7.
Title WordPress Medilazar Core plugin < 1.4.7 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themelexus Medilazar Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:14.763Z

Reserved: 2026-03-12T11:11:26.571Z

Link: CVE-2026-32426

cve-icon Vulnrichment

Updated: 2026-03-13T17:55:57.004Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:55:00.960

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32426

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:03:38Z

Weaknesses