What is the CVSS score of CVE-2026-39544?

CVE-2026-39544 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2026-39544?

CVE-2026-39544 affects themeStek LabtechCO WordPress theme through version 8.3, enabling authenticated users with low privileges to read arbitrary files from the web server.

PHP CVE-2026-39544

Q: How to fix or mitigate CVE-2026-39544?

Within 24 hours: audit all WordPress installations for themeStek LabtechCO theme presence and version (check /wp-content/themes/ directories and wp_options table for active theme). Within 7 days: if running affected versions (≤8.3), migrate to an alternative theme or contact themeStek for guidance on unofficial patches; restrict administrative and contributor roles to trusted personnel only. Within 30 days: establish a WordPress plugin/theme inventory and patch management process to prevent future exploitation of similar vulnerabilities.

EUVD-2026-20202 HIGH

PHP Remote File Inclusion (CWE-98)

2026-04-08 Patchstack

GHSA-2j6r-34xw-23mj

PHP Information Disclosure LFI

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 24, 2026 - 18:22 vuln.today

cvss_changed

Analysis Generated

Apr 14, 2026 - 19:40 vuln.today

CVSS changed

Apr 14, 2026 - 19:22 NVD

7.5 (HIGH)

EUVD ID Assigned

Apr 08, 2026 - 08:45 euvd

EUVD-2026-20202

CVE Published

Apr 08, 2026 - 08:30 nvd

N/A

DescriptionNVD

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themeStek LabtechCO labtechco allows PHP Local File Inclusion.This issue affects LabtechCO: from n/a through <= 8.3.

AnalysisAI

Local file inclusion in themeStek LabtechCO WordPress theme versions through 8.3 allows authenticated attackers with low privileges to read arbitrary files from the web server. Despite the CWE classification mentioning remote file inclusion, available data (tags, Patchstack categorization) confirms this is a local file inclusion vulnerability. …

RemediationAI

Within 24 hours: audit all WordPress installations for themeStek LabtechCO theme presence and version (check /wp-content/themes/ directories and wp_options table for active theme). Within 7 days: if running affected versions (≤8.3), migrate to an alternative theme or contact themeStek for guidance on unofficial patches; restrict administrative and contributor roles to trusted personnel only. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-39544 vulnerability details – vuln.today

Back

PHP CVE-2026-39544

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code