Description
Unauthenticated Local File Inclusion in Softlab Core < 1.2.11 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an unauthenticated Local File Inclusion flaw in the Softlab Core WordPress plugin prior to version 1.2.11. The flaw, classified as CWE‑98, allows an attacker to read arbitrary files from the server’s file system by supplying a crafted file path parameter. This can expose sensitive configuration data, credentials, or other secrets, potentially aiding further compromise of the web application. The description does not mention remote code execution, so the impact is limited to information disclosure unless additional vulnerabilities are present.

Affected Systems

The Softlab Core plugin, developed by WebGeniusLab, reaches all WordPress installations that have the plugin enabled and are running a version earlier than 1.2.11.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, while the EPSS score of less than 1% suggests a low probability that this flaw will be actively exploited at present. The vulnerability is not listed in CISA’s KEV catalog. An attacker can trigger the inclusion by sending an unauthenticated HTTP request that manipulates the plugin’s file path argument, thereby accessing local files on the server. There are no known mitigations beyond updating the plugin; therefore, the risk remains if the vulnerability is left unpatched.

Generated by OpenCVE AI on June 17, 2026 at 19:40 UTC.

Remediation

Vendor Solution

Update the WordPress Softlab Core Plugin to the latest available version (at least 1.2.11).


OpenCVE Recommended Actions

  • Apply the latest Softlab Core plugin update (version 1.2.11 or newer).
  • If an immediate update is not possible, restrict web access to the plugin directory and block unauthenticated requests that supply file path parameters.
  • Ensure file permissions on the server prevent web users from reading sensitive files such as configuration files, database credentials, and logs.

Generated by OpenCVE AI on June 17, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Webgeniuslab
Webgeniuslab softlab Core
Wordpress
Wordpress wordpress
Vendors & Products Webgeniuslab
Webgeniuslab softlab Core
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Softlab Core < 1.2.11 versions.
Title WordPress Softlab Core plugin < 1.2.11 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Webgeniuslab Softlab Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:43:27.188Z

Reserved: 2026-03-31T09:57:35.160Z

Link: CVE-2026-34895

cve-icon Vulnrichment

Updated: 2026-06-17T10:43:22.115Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:05:34Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')