CVE-2026-32364: LFI in Turbo Manager WordPress Plugin
Platform
wordpress
Component
turbo-manager
Fixed in
4.0.8
CVE-2026-32364 describes a Local File Inclusion (LFI) vulnerability affecting the Turbo Manager plugin for WordPress. This vulnerability allows authenticated users with contributor-level access or higher to include and execute arbitrary files on the server, potentially leading to code execution. The vulnerability impacts versions of Turbo Manager up to 4.0.8, and a patch is available in version 4.0.8.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
The impact of this LFI vulnerability is significant. An attacker with contributor access can leverage this flaw to execute arbitrary PHP code on the server. This could involve uploading a malicious PHP file disguised as an image, then including it through the vulnerable parameter. Successful exploitation allows attackers to bypass access controls, steal sensitive data stored on the server (database credentials, API keys, user data), and potentially gain complete control over the WordPress instance. The blast radius extends to any data accessible by the WordPress application, and the attacker could potentially pivot to other systems on the same network if the server is not properly segmented.
Exploitation Context
CVE-2026-32364 was published on February 16, 2026. The vulnerability is not currently listed on KEV (Known Exploited Vulnerabilities) as of this writing, and an EPSS score is pending evaluation. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation associated with LFI vulnerabilities. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Threat Intelligence
Exploit Status
EPSS
0.13% (32% percentile)
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
- Privileges Required
- Low — any valid user account is sufficient. Basic authenticated access required.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-32364 is to immediately upgrade the Turbo Manager plugin to version 4.0.8 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious file inclusion attempts. Specifically, look for patterns attempting to include files outside of the plugin's designated directories. Additionally, restrict file upload permissions to prevent attackers from uploading malicious PHP files. After upgrading, verify the fix by attempting to access a non-existent file through the vulnerable parameter; the server should return a 404 error instead of executing the file.
How to fix
Update to version 4.0.8, or a newer patched version
Frequently asked questions
What is CVE-2026-32364 — LFI in Turbo Manager WordPress Plugin?
CVE-2026-32364 is a Local File Inclusion vulnerability in the Turbo Manager WordPress plugin, allowing authenticated users to execute arbitrary PHP code. It affects versions up to 4.0.8 and poses a significant security risk to WordPress sites.
Am I affected by CVE-2026-32364 in Turbo Manager WordPress Plugin?
You are affected if your WordPress site uses the Turbo Manager plugin and is running version 4.0.8 or earlier. Check your plugin version immediately to determine your exposure.
How do I fix CVE-2026-32364 in Turbo Manager WordPress Plugin?
Upgrade the Turbo Manager plugin to version 4.0.8 or later to resolve the vulnerability. If immediate upgrade is not possible, implement WAF rules and restrict file upload permissions as temporary mitigations.
Is CVE-2026-32364 being actively exploited?
While not currently listed on KEV, the ease of exploitation suggests a high likelihood of active exploitation. Monitor security advisories and threat intelligence for updates.
Where can I find the official Turbo Manager advisory for CVE-2026-32364?
Refer to the official Turbo Manager plugin website and WordPress.org plugin repository for the latest security advisory and update information regarding CVE-2026-32364.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...