What is the CVSS score of CVE-2026-39623?

CVE-2026-39623 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2026-39623?

CVE-2026-39623 affects kutethemes Biolife WordPress theme versions up to 3.2.3, allowing authenticated users with low privileges to execute arbitrary PHP code through local file inclusion,…

PHP CVE-2026-39623

Q: How to fix or mitigate CVE-2026-39623?

Within 24 hours: Identify all WordPress installations using kutethemes Biolife theme versions 3.2.3 and earlier; disable or remove the theme immediately. Within 7 days: Upgrade to kutethemes Biolife version 3.2.4 or later if available from the vendor, or select and deploy an alternative theme; audit user access logs for suspicious activity by authenticated users. Within 30 days: Conduct security review of all WordPress user accounts with editor or administrator privileges; implement Web Application Firewall (WAF) rules to restrict unusual file inclusion patterns.

EUVD-2026-20266 HIGH

PHP Remote File Inclusion (CWE-98)

2026-04-08 Patchstack

GHSA-g5mv-4v3p-hp4g

PHP Information Disclosure LFI

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 24, 2026 - 18:22 vuln.today

cvss_changed

EUVD ID Assigned

Apr 08, 2026 - 08:45 euvd

EUVD-2026-20266

Analysis Generated

Apr 08, 2026 - 08:45 vuln.today

CVE Published

Apr 08, 2026 - 08:30 nvd

HIGH 7.5

DescriptionNVD

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Biolife biolife allows PHP Local File Inclusion.This issue affects Biolife: from n/a through <= 3.2.3.

AnalysisAI

Local file inclusion vulnerability in kutethemes Biolife WordPress theme versions up to 3.2.3 enables authenticated attackers with low privileges to include and execute arbitrary PHP files from the server filesystem via improper filename control in include/require statements. Exploitation requires network access and high complexity conditions (CVSS:3.1 AV:N/AC:H/PR:L), potentially leading to information disclosure, code execution, and full system compromise. …

RemediationAI

Within 24 hours: Identify all WordPress installations using kutethemes Biolife theme versions 3.2.3 and earlier; disable or remove the theme immediately. Within 7 days: Upgrade to kutethemes Biolife version 3.2.4 or later if available from the vendor, or select and deploy an alternative theme; audit user access logs for suspicious activity by authenticated users. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-39623 vulnerability details – vuln.today

Back

PHP CVE-2026-39623

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code