Description
Unauthenticated Local File Inclusion in Thegov Core < 2.0.23 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Thegov Core plugin for WordPress contains an unauthenticated local file inclusion flaw in all releases before version 2.0.23. The weakness allows a request that is processed by the plugin to include the contents of any file readable by the web server. Based on the nature of local file inclusion, it is inferred that if a PHP file could be supplied in the inclusion path, the code within that file might be executed, potentially compromising the entire WordPress installation.

Affected Systems

Any WordPress installation that uses the WebGeniusLab Thegov Core plugin with a version older than 2.0.23 is affected. The vulnerability is specific to sites that have that plugin installed and do not depend on other WordPress core files or plugins.

Risk and Exploitability

The flaw is rated high severity with a CVSS score of 8.1. The EPSS score is below 1%, indicating a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers do not need authentication to trigger the flaw, as it is an unauthenticated vulnerability; an unauthenticated actor could request the relevant endpoint to exploit the file inclusion.

Generated by OpenCVE AI on June 18, 2026 at 12:47 UTC.

Remediation

Vendor Solution

Update the WordPress Thegov Core Plugin to the latest available version (at least 2.0.23).


OpenCVE Recommended Actions

  • Update Thegov Core to version 2.0.23 or newer.
  • If an immediate update is not feasible, disable or uninstall the plugin to remove the attack vector.
  • Configure the web server or WordPress to deny execution of PHP files in the plugin’s directory or to restrict access to the plugin’s paths so that arbitrary file inclusion cannot occur.

Generated by OpenCVE AI on June 18, 2026 at 12:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Webgeniuslab
Webgeniuslab thegov Core
Wordpress
Wordpress wordpress
Vendors & Products Webgeniuslab
Webgeniuslab thegov Core
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Thegov Core < 2.0.23 versions.
Title WordPress Thegov Core plugin < 2.0.23 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Webgeniuslab Thegov Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:43:54.687Z

Reserved: 2026-03-31T09:57:17.719Z

Link: CVE-2026-34893

cve-icon Vulnrichment

Updated: 2026-06-17T10:43:49.596Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:02Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')