Description
The Advanced Database Cleaner – Premium plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.1.0 via the 'template' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Published: 2026-05-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the Advanced Database Cleaner – Premium WordPress plugin and allows authenticated users with Subscriber-level or higher access to supply a 'template' parameter that causes the server to include and execute arbitrary .php files. This results in a bypass of access controls, potential disclosure of sensitive data, and the ability to run arbitrary PHP code on the server. The weakness is classified as CWE-98 (Hardcoded Path).

Affected Systems

SigmaPlugin:Advanced Database Cleaner – Premium plugin for WordPress, versions up to and including 4.1.0 are affected.

Risk and Exploitability

The CVSS score of 8.8 classifies this flaw as high severity, indicating significant potential for damage. No EPSS score is available, but the lack of KEV listing does not diminish the inherent risk, especially since the attack requires only Subscriber-level authentication, which is commonly granted in many WordPress sites. An attacker who authenticates can use the LFI flaw to execute any PHP file present on the server, potentially compromising the entire site and its data.

Generated by OpenCVE AI on May 20, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Advanced Database Cleaner – Premium plugin to version 4.1.1 or newer to remove the LFI vulnerability.
  • If an upgrade is not immediately possible, disable or restrict the 'template' parameter by editing the plugin code or applying a filter so that only allowed template files can be loaded.
  • Implement a web application firewall or server rule to block suspicious 'template' parameter values and monitor logs for signs of LFI exploitation.

Generated by OpenCVE AI on May 20, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Sigmaplugin
Sigmaplugin advanced Database Cleaner
Wordpress
Wordpress wordpress
Vendors & Products Sigmaplugin
Sigmaplugin advanced Database Cleaner
Wordpress
Wordpress wordpress

Wed, 20 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Advanced Database Cleaner – Premium plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.1.0 via the 'template' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Title Advanced Database Cleaner – Premium <= 4.1.0 - Authenticated (Subscriber+) Local File Inclusion via 'template'
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Sigmaplugin Advanced Database Cleaner
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T14:06:09.535Z

Reserved: 2026-04-30T16:54:22.453Z

Link: CVE-2026-7522

cve-icon Vulnrichment

Updated: 2026-05-20T14:05:55.538Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T05:16:22.327

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-7522

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:00:04Z

Weaknesses