CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-27065

CVSS 9.8v3.1pub. 2026-03-19upd. 2026-04-23

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress builderpress allows PHP Local File Inclusion.This issue affects BuilderPress: from n/a through <= 2.0.1.

🤖 AI Analysis
How it works

The error classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) involves the plugin failing to properly validate user input before passing it to PHP include or require functions. An attacker can supply a crafted file path, causing the application to include an arbitrary file located on the server. Under specific conditions, this can lead to execution of malicious PHP code contained in such a file.

Impact

An attacker can read sensitive files from the server (e.g., database configuration, credentials) and — under favorable conditions — execute arbitrary PHP code, which threatens complete server takeover.

Mitigation & patch

The BuilderPress plugin should be updated to a version higher than 2.0.1. Details regarding the available patch version should be verified in the vendor's references and in the Patchstack database at the address indicated in the CVE description.

Who is affected

WordPress ThimPress BuilderPress plugin in versions from n/a to 2.0.1 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References