{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39623", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:36.650Z", "datePublished": "2026-04-08T08:30:26.741Z", "dateUpdated": "2026-04-29T09:52:02.641Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "biolife", "product": "Biolife", "vendor": "kutethemes", "versions": [{"lessThanOrEqual": "3.2.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:38.408Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Biolife biolife allows PHP Local File Inclusion.<p>This issue affects Biolife: from n/a through <= 3.2.3.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Biolife biolife allows PHP Local File Inclusion.This issue affects Biolife: from n/a through <= 3.2.3."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:02.641Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/biolife/vulnerability/wordpress-biolife-theme-3-2-3-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Biolife theme <= 3.2.3 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T20:29:23.526336Z", "id": "CVE-2026-39623", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T20:29:32.027Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39623", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T20:29:23.526336Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T20:28:15.244Z"}}], "cna": {"title": "WordPress Biolife theme <= 3.2.3 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "kutethemes", "product": "Biolife", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.2.3"}], "packageName": "biolife", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:28:38.408Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/biolife/vulnerability/wordpress-biolife-theme-3-2-3-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Biolife biolife allows PHP Local File Inclusion.This issue affects Biolife: from n/a through <= 3.2.3.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Biolife biolife allows PHP Local File Inclusion.<p>This issue affects Biolife: from n/a through <= 3.2.3.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-29T09:52:02.641Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39623", "state": "PUBLISHED", "dateUpdated": "2026-04-29T09:52:02.641Z", "dateReserved": "2026-04-07T10:57:36.650Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:26.741Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Biolife biolife allows PHP Local File Inclusion.This issue affects Biolife: from n/a through <= 3.2.3."}], "id": "CVE-2026-39623", "lastModified": "2026-04-24T18:06:58.907", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:32.547", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/biolife/vulnerability/wordpress-biolife-theme-3-2-3-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.2.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Biolife", "source": "cna", "vendor": "kutethemes"}, "product": "biolife", "vendor": "kutethemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-09T23:29:07.609524+00:00", "value": {"mitigation_remediation": ["Upgrade the Biolife theme to a version newer than 3.2.3 following the vendor\u2019s update instructions."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the Kutethemes Biolife theme from its first release through version 3.2.3. Any WordPress site that has not upgraded beyond that version is considered at risk.", "description_and_impact": "Improper control of the filename used in PHP include/require statements in the Kutethemes Biolife WordPress theme allows an attacker to specify a local file path. This flaw, classified as CWE\u201198, can enable the reading of arbitrary files on the server, such as wp\u2011config.php or other sensitive configuration files, potentially exposing credentials or server configuration information. The impact is primarily confidentiality and integrity compromise; the CVE description does not explicitly state code execution or full site takeover.", "risk_and_exploitability": "The CVSS base score of 7.5 places this issue in the high severity range, while the EPSS probability is reported as less than 1%, indicating a low likelihood of widespread exploitation at present; it is not listed in the CISA KEV catalog. The likely attack vector is a web-based request that includes a file path parameter, as this flaw can be triggered by an unauthenticated attacker who can craft a request to the vulnerable script. Once the attacker controls the file path, they can read sensitive local files, and if the site allows file uploads or execution of uploaded PHP, further compromise may be possible. Because access to the vulnerable theme files is the minimal prerequisite for exploitation, the risk remains significant for affected sites."}}}}, "created": "2026-04-08T19:29:36.237210+00:00", "updated": "2026-04-10T09:40:56.441485+00:00", "vendors": ["kutethemes", "kutethemes$PRODUCT$biolife", "wordpress", "wordpress$PRODUCT$wordpress"]}