CVE-2026-7522

Vulnerability

Overview

The Advanced Database Cleaner – Premium plugin for WordPress is vulnerable to Local File Inclusion (LFI) in versions up to and including 4.1.0 [1]. The flaw resides in the insecure handling of the template parameter, which allows authenticated users to include arbitrary PHP files from the server. The plugin, rebuilt in version 4.x with a REST API-driven backend and React interface, introduced this vulnerability in its new codebase [2].

Attack

Vector

An attacker must have a WordPress account with at least Subscriber-level access to exploit this vulnerability [1]. Through the template parameter, the plugin does not properly sanitize or restrict file paths, enabling inclusion of any .php file present on the server's filesystem. No special network position or additional authentication beyond the WordPress session is required.

Impact

Successful exploitation allows the attacker to include and execute arbitrary PHP code residing in files on the server [1]. This can lead to bypassing access controls, reading sensitive data, or achieving full remote code execution if the attacker can also upload a malicious .php file (e.g., through a separate file upload vulnerability or misconfiguration). The CVSS v3 score of 8.8 reflects the high potential for complete compromise of confidentiality, integrity, and availability.

Mitigation

The vendor released version 4.1.1 on May 5, 2026, which addresses this vulnerability [2]. Users are strongly advised to update to the latest version. No workarounds other than upgrading have been documented.