CVE-2026-39661
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Magentech SW Core allows PHP Local File Inclusion.
This issue affects SW Core: from n/a through 1.7.18.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Local File Inclusion in Magentech SW Core plugin (≤1.7.18) allows unauthenticated attackers to read sensitive files, risking complete database takeover.
Vulnerability
The Magentech SW Core plugin for WordPress contains a PHP Local File Inclusion (LFI) vulnerability due to improper control of filenames in include/require statements. Versions through 1.7.18 are affected [1].
Exploitation
An attacker can exploit this by sending a crafted request that includes local files from the target server, without requiring authentication [1].
Impact
Successful exploitation allows the attacker to read sensitive files, such as database configuration files, potentially leading to complete database takeover depending on server configuration [1].
Mitigation
Update the SW Core plugin to a version newer than 1.7.18. If unable, contact a hosting provider or web developer for assistance. The vulnerability is known to be used in mass-exploit campaigns [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.7.18+ 1 more
- (no CPE)range: <=1.7.18
- (no CPE)range: <=1.7.18
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.