Cette page n'a pas encore été traduite dans votre langue. Affichage du contenu en anglais pendant que nous y travaillons.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-32364: LFI in Turbo Manager WordPress Plugin
Plateforme
wordpress
Composant
turbo-manager
Corrigé dans
4.0.8
CVE-2026-32364 describes a Local File Inclusion (LFI) vulnerability affecting the Turbo Manager plugin for WordPress. This vulnerability allows authenticated users with contributor-level access or higher to include and execute arbitrary files on the server, potentially leading to code execution. The vulnerability impacts versions of Turbo Manager up to 4.0.8, and a patch is available in version 4.0.8.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
The impact of this LFI vulnerability is significant. An attacker with contributor access can leverage this flaw to execute arbitrary PHP code on the server. This could involve uploading a malicious PHP file disguised as an image, then including it through the vulnerable parameter. Successful exploitation allows attackers to bypass access controls, steal sensitive data stored on the server (database credentials, API keys, user data), and potentially gain complete control over the WordPress instance. The blast radius extends to any data accessible by the WordPress application, and the attacker could potentially pivot to other systems on the same network if the server is not properly segmented.
Contexte d'Exploitationtraduction en cours…
CVE-2026-32364 was published on February 16, 2026. The vulnerability is not currently listed on KEV (Known Exploited Vulnerabilities) as of this writing, and an EPSS score is pending evaluation. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation associated with LFI vulnerabilities. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.13% (percentile 32%)
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Élevée — nécessite une condition de course, configuration non standard ou circonstances spécifiques.
- Privileges Required
- Faible — tout compte utilisateur valide est suffisant.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2026-32364 is to immediately upgrade the Turbo Manager plugin to version 4.0.8 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious file inclusion attempts. Specifically, look for patterns attempting to include files outside of the plugin's designated directories. Additionally, restrict file upload permissions to prevent attackers from uploading malicious PHP files. After upgrading, verify the fix by attempting to access a non-existent file through the vulnerable parameter; the server should return a 404 error instead of executing the file.
Comment corriger
Mettre à jour vers la version 4.0.8, ou une version corrigée plus récente
Questions fréquentestraduction en cours…
What is CVE-2026-32364 — LFI in Turbo Manager WordPress Plugin?
CVE-2026-32364 is a Local File Inclusion vulnerability in the Turbo Manager WordPress plugin, allowing authenticated users to execute arbitrary PHP code. It affects versions up to 4.0.8 and poses a significant security risk to WordPress sites.
Am I affected by CVE-2026-32364 in Turbo Manager WordPress Plugin?
You are affected if your WordPress site uses the Turbo Manager plugin and is running version 4.0.8 or earlier. Check your plugin version immediately to determine your exposure.
How do I fix CVE-2026-32364 in Turbo Manager WordPress Plugin?
Upgrade the Turbo Manager plugin to version 4.0.8 or later to resolve the vulnerability. If immediate upgrade is not possible, implement WAF rules and restrict file upload permissions as temporary mitigations.
Is CVE-2026-32364 being actively exploited?
While not currently listed on KEV, the ease of exploitation suggests a high likelihood of active exploitation. Monitor security advisories and threat intelligence for updates.
Where can I find the official Turbo Manager advisory for CVE-2026-32364?
Refer to the official Turbo Manager plugin website and WordPress.org plugin repository for the latest security advisory and update information regarding CVE-2026-32364.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Scannez votre projet WordPress maintenant — sans compte
scanZone.subtitle
Glissez-déposez votre fichier de dépendances
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...