CVE-2026-27065

ThimPress · BuilderPress

BuilderPress by ThimPress contains a PHP Local File Inclusion (LFI) vulnerability caused by improper control of filenames in include/require statements.

Executive summary

ThimPress BuilderPress versions through 2.0.1 are vulnerable to a critical Local File Inclusion flaw, permitting attackers to read sensitive system files or execute arbitrary PHP code.

Vulnerability

The application exhibits improper control of filenames used in include or require statements, resulting in a PHP Local File Inclusion vulnerability that allows attackers to manipulate file paths.

Business impact

This vulnerability, rated with a critical CVSS score of 9.8, allows an attacker to access sensitive information or execute malicious code on the server. The potential for full system compromise and unauthorized data access makes this an urgent priority for remediation to prevent complete breach of the application environment.

Remediation

Immediate Action: Update the BuilderPress plugin to the latest version provided by ThimPress to fix the file inclusion logic.

Proactive Monitoring: Review web server access logs for anomalous requests containing path traversal sequences or attempts to access system files (e.g., /etc/passwd).

Compensating Controls: Configure the web server to restrict directory access and utilize a WAF to block requests containing directory traversal characters or suspicious file path patterns.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

Given the critical nature of this LFI vulnerability, it is imperative that administrators update to the latest version of the BuilderPress plugin immediately. Failure to patch may result in unauthorized access to sensitive configuration files or remote code execution.