CVE-2026-57803

Select-Themes · Struktur Core

The Struktur Core plugin for WordPress is vulnerable to local file inclusion due to improper filename validation, potentially allowing attackers to read or execute sensitive server files.

Executive summary

A high-severity local file inclusion vulnerability in the Select-Themes Struktur Core WordPress plugin poses a significant risk of unauthorized file access and remote code execution.

Vulnerability

This vulnerability (CWE-98) allows an authenticated user with low privileges to manipulate include/require statements, leading to Local File Inclusion (LFI). The flaw resides in the handling of file parameters within the plugin's codebase.

Business impact

Successful exploitation of this LFI vulnerability can lead to the exposure of sensitive configuration files, credentials, or source code. With a CVSS score of 7.5, the risk is substantial; an attacker could escalate this access to execute arbitrary PHP code, potentially leading to a complete compromise of the WordPress environment and the underlying web server.

Remediation

Immediate Action: As no patched version is currently available, administrators should immediately deactivate or uninstall the Struktur Core plugin until a secure update is released by the vendor.

Proactive Monitoring: Review web server and WordPress access logs for suspicious file paths (e.g., ../, /etc/passwd) in request parameters associated with the plugin.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block common directory traversal and file inclusion patterns to mitigate potential exploitation attempts.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the potential for total system compromise, immediate removal of the vulnerable plugin is the only effective mitigation at this time. Security teams should monitor the vendor's advisory page for patch availability and prioritize testing and deployment immediately upon release.