Skip to main content

Thegov Core

1 CVEs product

Monthly

CVE-2026-34893 HIGH PATCH This Week

Unauthenticated Local File Inclusion in the Thegov Core WordPress plugin (versions prior to 2.0.23) allows remote attackers to coerce the application into including arbitrary files via a flaw classified as CWE-98 (PHP File Inclusion). Because the plugin powers the Thegov WordPress theme commonly used by government and political sites, successful exploitation can disclose sensitive configuration files such as wp-config.php and, depending on server state, escalate to PHP code execution. No public exploit identified at time of analysis, though Patchstack - the reporting party - has published a vendor advisory and a fixed release.

PHP Information Disclosure LFI Thegov Core
NVD
CVSS 3.1
8.1
EPSS
0.4%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Unauthenticated Local File Inclusion in the Thegov Core WordPress plugin (versions prior to 2.0.23) allows remote attackers to coerce the application into including arbitrary files via a flaw classified as CWE-98 (PHP File Inclusion). Because the plugin powers the Thegov WordPress theme commonly used by government and political sites, successful exploitation can disclose sensitive configuration files such as wp-config.php and, depending on server state, escalate to PHP code execution. No public exploit identified at time of analysis, though Patchstack - the reporting party - has published a vendor advisory and a fixed release.

PHP Information Disclosure LFI +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy