What is the CVSS score of CVE-2026-39684?

CVE-2026-39684 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of PHP are affected by CVE-2026-39684?

UnTheme OrganicFood WordPress theme versions up to 3.6.4 contain a local file inclusion vulnerability that allows low-privileged authenticated users to read sensitive server files, including…

PHP CVE-2026-39684

Q: How to fix or mitigate CVE-2026-39684?

Within 24 hours: Inventory all WordPress installations using UnTheme OrganicFood theme and document current versions. Within 7 days: If theme version is 3.6.4 or earlier, immediately switch to an alternative theme or disable the affected theme; restrict low-privileged user roles from accessing WordPress admin functions as an interim control. Within 30 days: Implement a WordPress plugin management policy requiring theme updates and establish automated vulnerability scanning for WordPress plugins and themes.

EUVD-2026-20372 HIGH

PHP Remote File Inclusion (CWE-98)

2026-04-08 Patchstack

GHSA-ggw9-84x2-h53g

PHP Information Disclosure LFI

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 24, 2026 - 18:07 vuln.today

cvss_changed

EUVD ID Assigned

Apr 08, 2026 - 08:45 euvd

EUVD-2026-20372

Analysis Generated

Apr 08, 2026 - 08:45 vuln.today

CVE Published

Apr 08, 2026 - 08:30 nvd

HIGH 7.5

DescriptionNVD

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in UnTheme OrganicFood organicfood allows PHP Local File Inclusion.This issue affects OrganicFood: from n/a through <= 3.6.4.

AnalysisAI

Local file inclusion in UnTheme OrganicFood WordPress theme versions up to 3.6.4 enables authenticated attackers with low privileges to read arbitrary files on the server and potentially achieve remote code execution. Exploitation requires network access and high attack complexity (CVSS AC:H), allowing disclosure of sensitive configuration data, credentials, and system files. …

RemediationAI

Within 24 hours: Inventory all WordPress installations using UnTheme OrganicFood theme and document current versions. Within 7 days: If theme version is 3.6.4 or earlier, immediately switch to an alternative theme or disable the affected theme; restrict low-privileged user roles from accessing WordPress admin functions as an interim control. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-39684 vulnerability details – vuln.today

Back

PHP CVE-2026-39684

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code