Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Magentech SW Core allows PHP Local File Inclusion.

This issue affects SW Core: from n/a through 1.7.18.
Published: 2026-05-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper control of the filename supplied to an include/require statement in the SW Core plugin. Because the input is not properly validated, an attacker can supply a path that results in the inclusion of arbitrary local files. This flaw is classified as CWE‑98, Local File Inclusion. If successfully exploited, the attacker could read sensitive configuration files, credentials, or potentially execute arbitrary PHP code, leading to compromise of the affected WordPress site.

Affected Systems

Magentech's SW Core plugin for WordPress, versions up through 1.7.18, is affected. The vulnerability is present in all releases from the earliest available version through 1.7.18. No specific host or environment constraints were listed, so any WordPress installation running an affected version of the plugin is at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score is not available, and the vulnerability is not currently listed in CISA's KEV catalog, so there is no evidence of known exploitation in the wild. Based on the description, it is inferred that the attack vector involves local file inclusion via the plugin's web interface and that some form of user access (unauthenticated or authenticated) is required to trigger the include logic. While the probability of exploitation is not quantified, the high CVSS and lack of mitigations suggest that administrators should treat this as a high risk to confidentiality, integrity, and availability.

Generated by OpenCVE AI on May 26, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the SW Core plugin version and confirm it is 1.7.18 or earlier; if vulnerable, update promptly.
  • Apply the latest SW Core update when it is released and the LFI flaw is addressed.
  • If an update has not yet been published, deactivate or uninstall the SW Core plugin until a fix is available.
  • Configure PHP and your web server to restrict file inclusion to whitelisted directories and deny direct web access to sensitive configuration files, and monitor logs for suspicious include activity.

Generated by OpenCVE AI on May 26, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Magentech
Magentech sw Core
Wordpress
Wordpress wordpress
Vendors & Products Magentech
Magentech sw Core
Wordpress
Wordpress wordpress

Tue, 26 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Magentech SW Core allows PHP Local File Inclusion. This issue affects SW Core: from n/a through 1.7.18.
Title WordPress SW Core plugin <= 1.7.18 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Magentech Sw Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-26T10:47:57.175Z

Reserved: 2026-04-07T10:57:53.260Z

Link: CVE-2026-39661

cve-icon Vulnrichment

Updated: 2026-05-26T10:47:52.615Z

cve-icon NVD

Status : Received

Published: 2026-05-26T09:16:20.613

Modified: 2026-05-26T09:16:20.613

Link: CVE-2026-39661

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T12:59:40Z

Weaknesses