Skip to main content

Getaway

1 CVEs product

Monthly

CVE-2026-39547 HIGH PATCH This Week

Local File Inclusion in the Getaway WordPress theme (versions before 1.8) by Select-Themes allows unauthenticated remote attackers to include arbitrary local PHP files via an unsanitized include/require parameter, leading to disclosure of sensitive files and potential code execution. The CWE-98 classification indicates improper control of filename used in PHP include/require, a pattern that frequently chains into RCE when log files, session files, or uploaded media can be referenced. No public exploit identified at time of analysis, and the issue is not in CISA KEV.

PHP Information Disclosure LFI Getaway
NVD
CVSS 3.1
8.1
EPSS
0.4%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Local File Inclusion in the Getaway WordPress theme (versions before 1.8) by Select-Themes allows unauthenticated remote attackers to include arbitrary local PHP files via an unsanitized include/require parameter, leading to disclosure of sensitive files and potential code execution. The CWE-98 classification indicates improper control of filename used in PHP include/require, a pattern that frequently chains into RCE when log files, session files, or uploaded media can be referenced. No public exploit identified at time of analysis, and the issue is not in CISA KEV.

PHP Information Disclosure LFI +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy