CVE-2026-27065
ThimPress · BuilderPress
BuilderPress by ThimPress contains a PHP Local File Inclusion (LFI) vulnerability caused by improper control of filenames in include/require statements.
Executive summary
ThimPress BuilderPress versions through 2.0.1 are vulnerable to a critical Local File Inclusion flaw, permitting attackers to read sensitive system files or execute arbitrary PHP code.
Vulnerability
The application exhibits improper control of filenames used in include or require statements, resulting in a PHP Local File Inclusion vulnerability that allows attackers to manipulate file paths.
Business impact
This vulnerability, rated with a critical CVSS score of 9.8, allows an attacker to access sensitive information or execute malicious code on the server. The potential for full system compromise and unauthorized data access makes this an urgent priority for remediation to prevent complete breach of the application environment.
Remediation
Immediate Action: Update the BuilderPress plugin to the latest version provided by ThimPress to fix the file inclusion logic.
Proactive Monitoring: Review web server access logs for anomalous requests containing path traversal sequences or attempts to access system files (e.g., /etc/passwd).
Compensating Controls: Configure the web server to restrict directory access and utilize a WAF to block requests containing directory traversal characters or suspicious file path patterns.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
Given the critical nature of this LFI vulnerability, it is imperative that administrators update to the latest version of the BuilderPress plugin immediately. Failure to patch may result in unauthorized access to sensitive configuration files or remote code execution.