Is PHP affected by CVE-2026-39684?

UnTheme OrganicFood WordPress theme versions up to 3.6.4 contain a local file inclusion vulnerability that allows low-privileged authenticated users to read sensitive server files, including credentials and configuration data.

CVE-2026-39684

Q: How to fix CVE-2026-39684?

Within 24 hours: Inventory all WordPress installations using UnTheme OrganicFood theme and document current versions. Within 7 days: If theme version is 3.6.4 or earlier, immediately switch to an alternative theme or disable the affected theme; restrict low-privileged user roles from accessing WordPress admin functions as an interim control. Within 30 days: Implement a WordPress plugin management policy requiring theme updates and establish automated vulnerability scanning for WordPress plugins and themes.

EUVD-2026-20372 HIGH

2026-04-08 Patchstack

GHSA-ggw9-84x2-h53g

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 08, 2026 - 08:45 vuln.today

EUVD ID Assigned

Apr 08, 2026 - 08:45 euvd

EUVD-2026-20372

CVE Published

Apr 08, 2026 - 08:30 nvd

HIGH 7.5

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in UnTheme OrganicFood organicfood allows PHP Local File Inclusion.This issue affects OrganicFood: from n/a through <= 3.6.4.

Analysis

Local file inclusion in UnTheme OrganicFood WordPress theme versions up to 3.6.4 enables authenticated attackers with low privileges to read arbitrary files on the server and potentially achieve remote code execution. Exploitation requires network access and high attack complexity (CVSS AC:H), allowing disclosure of sensitive configuration data, credentials, and system files. …

Remediation

Within 24 hours: Inventory all WordPress installations using UnTheme OrganicFood theme and document current versions. Within 7 days: If theme version is 3.6.4 or earlier, immediately switch to an alternative theme or disable the affected theme; restrict low-privileged user roles from accessing WordPress admin functions as an interim control. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2026-39684 vulnerability details – vuln.today

Back

CVE-2026-39684

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-39684

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code