{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39544", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:48:21.621Z", "datePublished": "2026-04-08T08:30:17.993Z", "dateUpdated": "2026-04-08T08:30:17.993Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "labtechco", "product": "LabtechCO", "vendor": "themeStek", "versions": [{"changes": [{"at": "8.4", "status": "unaffected"}], "lessThanOrEqual": "8.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:51.788Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themeStek LabtechCO labtechco allows PHP Local File Inclusion.<p>This issue affects LabtechCO: from n/a through <= 8.3.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themeStek LabtechCO labtechco allows PHP Local File Inclusion.This issue affects LabtechCO: from n/a through <= 8.3."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:17.993Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/labtechco/vulnerability/wordpress-labtechco-theme-8-3-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress LabtechCO theme <= 8.3 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themeStek LabtechCO labtechco allows PHP Local File Inclusion.This issue affects LabtechCO: from n/a through <= 8.3."}], "id": "CVE-2026-39544", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:27.070", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/labtechco/vulnerability/wordpress-labtechco-theme-8-3-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.3]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "8.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "LabtechCO", "source": "cna", "vendor": "themeStek"}, "product": "labtechco", "vendor": "themestek"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T10:38:09.442616+00:00", "value": {"mitigation_remediation": ["Upgrade the LabtechCO theme to a version newer than 8.3"], "summary": {"action": "Apply Patch", "impact": "Local file inclusion that can lead to code execution or data exposure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the LabtechCO theme provided by themeStek. All releases from the first version through version 8.3 are susceptible. Any WordPress site actively using the theme before the patched release is vulnerable.", "description_and_impact": "The LabtechCO WordPress theme contains improper control of the filename used in include/require statements in PHP. This flaw allows an attacker to influence which local file is included by the theme, potentially enabling the execution of arbitrary code or the disclosure of sensitive files on the server.", "risk_and_exploitability": "No CVSS or EPSS score is published for this issue, and it is not listed in the CISA KEV catalog. The likely attack vector is via an application\u2011level request that can manipulate the include path, such as a crafted URL or form input. While no public exploits have been documented, the classic PHP Local File Inclusion behavior suggests that the flaw could be triggered by providing a malicious path, resulting in code execution or data leakage."}}}}, "created": "2026-04-08T19:30:17.955120+00:00", "updated": "2026-04-08T19:42:35.604036+00:00", "vendors": ["themestek", "themestek$PRODUCT$labtechco", "wordpress", "wordpress$PRODUCT$wordpress"]}