Esta página aún no ha sido traducida a tu idioma. Mostrando contenido en inglés mientras trabajamos en ello.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-32364: LFI in Turbo Manager WordPress Plugin
Plataforma
wordpress
Componente
turbo-manager
Corregido en
4.0.8
CVE-2026-32364 describes a Local File Inclusion (LFI) vulnerability affecting the Turbo Manager plugin for WordPress. This vulnerability allows authenticated users with contributor-level access or higher to include and execute arbitrary files on the server, potentially leading to code execution. The vulnerability impacts versions of Turbo Manager up to 4.0.8, and a patch is available in version 4.0.8.
Detecta esta CVE en tu proyecto
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Impacto y Escenarios de Ataquetraduciendo…
The impact of this LFI vulnerability is significant. An attacker with contributor access can leverage this flaw to execute arbitrary PHP code on the server. This could involve uploading a malicious PHP file disguised as an image, then including it through the vulnerable parameter. Successful exploitation allows attackers to bypass access controls, steal sensitive data stored on the server (database credentials, API keys, user data), and potentially gain complete control over the WordPress instance. The blast radius extends to any data accessible by the WordPress application, and the attacker could potentially pivot to other systems on the same network if the server is not properly segmented.
Contexto de Explotacióntraduciendo…
CVE-2026-32364 was published on February 16, 2026. The vulnerability is not currently listed on KEV (Known Exploited Vulnerabilities) as of this writing, and an EPSS score is pending evaluation. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation associated with LFI vulnerabilities. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Inteligencia de Amenazas
Estado del Exploit
EPSS
0.13% (32% percentil)
Vector CVSS
¿Qué significan estas métricas?
- Attack Vector
- Red — explotable remotamente por internet. Sin acceso físico ni local. Mayor superficie de ataque.
- Attack Complexity
- Alta — requiere condición de carrera, configuración no predeterminada o circunstancias específicas. Más difícil de explotar.
- Privileges Required
- Bajo — cualquier cuenta de usuario válida es suficiente.
- User Interaction
- Ninguna — el ataque es automático y silencioso. La víctima no hace nada.
- Scope
- Sin cambio — el impacto se limita al componente vulnerable.
- Confidentiality
- Alto — pérdida total de confidencialidad. El atacante puede leer todos los datos.
- Integrity
- Alto — el atacante puede escribir, modificar o eliminar cualquier dato.
- Availability
- Alto — caída completa o agotamiento de recursos. Denegación de servicio total.
Software Afectado
Clasificación de Debilidad (CWE)
Cronología
- Reservado
- Publicada
- Modificada
- EPSS actualizado
Mitigación y Workaroundstraduciendo…
The primary mitigation for CVE-2026-32364 is to immediately upgrade the Turbo Manager plugin to version 4.0.8 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious file inclusion attempts. Specifically, look for patterns attempting to include files outside of the plugin's designated directories. Additionally, restrict file upload permissions to prevent attackers from uploading malicious PHP files. After upgrading, verify the fix by attempting to access a non-existent file through the vulnerable parameter; the server should return a 404 error instead of executing the file.
Cómo corregirlo
Actualizar a la versión 4.0.8, o una versión parcheada más reciente
Preguntas frecuentestraduciendo…
What is CVE-2026-32364 — LFI in Turbo Manager WordPress Plugin?
CVE-2026-32364 is a Local File Inclusion vulnerability in the Turbo Manager WordPress plugin, allowing authenticated users to execute arbitrary PHP code. It affects versions up to 4.0.8 and poses a significant security risk to WordPress sites.
Am I affected by CVE-2026-32364 in Turbo Manager WordPress Plugin?
You are affected if your WordPress site uses the Turbo Manager plugin and is running version 4.0.8 or earlier. Check your plugin version immediately to determine your exposure.
How do I fix CVE-2026-32364 in Turbo Manager WordPress Plugin?
Upgrade the Turbo Manager plugin to version 4.0.8 or later to resolve the vulnerability. If immediate upgrade is not possible, implement WAF rules and restrict file upload permissions as temporary mitigations.
Is CVE-2026-32364 being actively exploited?
While not currently listed on KEV, the ease of exploitation suggests a high likelihood of active exploitation. Monitor security advisories and threat intelligence for updates.
Where can I find the official Turbo Manager advisory for CVE-2026-32364?
Refer to the official Turbo Manager plugin website and WordPress.org plugin repository for the latest security advisory and update information regarding CVE-2026-32364.
¿Tu proyecto está afectado?
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Detecta esta CVE en tu proyecto
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Escanea tu proyecto WordPress ahora — sin cuenta
Sube cualquier manifiesto (composer.lock, package-lock.json, lista de plugins WordPress…) o pega tu lista de componentes. Recibís un reporte de vulnerabilidades al instante. Subir un archivo es solo el primer paso: con una cuenta tenés monitoreo continuo, alertas en tu canal, multi-proyecto y reportes white-label.
Arrastra y suelta tu archivo de dependencias
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...