Is PHP affected by EUVD-2026-20266?

CVE-2026-39623 affects kutethemes Biolife WordPress theme versions up to 3.2.3, allowing authenticated users with low privileges to execute arbitrary PHP code through local file inclusion, potentially compromising websites running this theme.

EUVD-2026-20266

Q: How to fix EUVD-2026-20266?

Within 24 hours: Identify all WordPress installations using kutethemes Biolife theme versions 3.2.3 and earlier; disable or remove the theme immediately. Within 7 days: Upgrade to kutethemes Biolife version 3.2.4 or later if available from the vendor, or select and deploy an alternative theme; audit user access logs for suspicious activity by authenticated users. Within 30 days: Conduct security review of all WordPress user accounts with editor or administrator privileges; implement Web Application Firewall (WAF) rules to restrict unusual file inclusion patterns.

| CVE-2026-39623 HIGH

2026-04-08 Patchstack

GHSA-g5mv-4v3p-hp4g

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 08, 2026 - 08:45 vuln.today

EUVD ID Assigned

Apr 08, 2026 - 08:45 euvd

EUVD-2026-20266

CVE Published

Apr 08, 2026 - 08:30 nvd

HIGH 7.5

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Biolife biolife allows PHP Local File Inclusion.This issue affects Biolife: from n/a through <= 3.2.3.

Analysis

Local file inclusion vulnerability in kutethemes Biolife WordPress theme versions up to 3.2.3 enables authenticated attackers with low privileges to include and execute arbitrary PHP files from the server filesystem via improper filename control in include/require statements. Exploitation requires network access and high complexity conditions (CVSS:3.1 AV:N/AC:H/PR:L), potentially leading to information disclosure, code execution, and full system compromise. …

Remediation

Within 24 hours: Identify all WordPress installations using kutethemes Biolife theme versions 3.2.3 and earlier; disable or remove the theme immediately. Within 7 days: Upgrade to kutethemes Biolife version 3.2.4 or later if available from the vendor, or select and deploy an alternative theme; audit user access logs for suspicious activity by authenticated users. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

EUVD-2026-20266 vulnerability details – vuln.today

Back

EUVD-2026-20266

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-20266

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code