Deze pagina is nog niet vertaald naar uw taal. We werken eraan — de inhoud wordt voorlopig in het Engels weergegeven.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-32364: LFI in Turbo Manager WordPress Plugin
Platform
wordpress
Component
turbo-manager
Opgelost in
4.0.8
CVE-2026-32364 describes a Local File Inclusion (LFI) vulnerability affecting the Turbo Manager plugin for WordPress. This vulnerability allows authenticated users with contributor-level access or higher to include and execute arbitrary files on the server, potentially leading to code execution. The vulnerability impacts versions of Turbo Manager up to 4.0.8, and a patch is available in version 4.0.8.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
The impact of this LFI vulnerability is significant. An attacker with contributor access can leverage this flaw to execute arbitrary PHP code on the server. This could involve uploading a malicious PHP file disguised as an image, then including it through the vulnerable parameter. Successful exploitation allows attackers to bypass access controls, steal sensitive data stored on the server (database credentials, API keys, user data), and potentially gain complete control over the WordPress instance. The blast radius extends to any data accessible by the WordPress application, and the attacker could potentially pivot to other systems on the same network if the server is not properly segmented.
Uitbuitingscontextwordt vertaald…
CVE-2026-32364 was published on February 16, 2026. The vulnerability is not currently listed on KEV (Known Exploited Vulnerabilities) as of this writing, and an EPSS score is pending evaluation. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation associated with LFI vulnerabilities. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
Dreigingsinformatie
Exploit Status
EPSS
0.13% (32% percentiel)
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Hoog — vereist een race condition, niet-standaard configuratie of specifieke omstandigheden.
- Privileges Required
- Laag — elk geldig gebruikersaccount is voldoende.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2026-32364 is to immediately upgrade the Turbo Manager plugin to version 4.0.8 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious file inclusion attempts. Specifically, look for patterns attempting to include files outside of the plugin's designated directories. Additionally, restrict file upload permissions to prevent attackers from uploading malicious PHP files. After upgrading, verify the fix by attempting to access a non-existent file through the vulnerable parameter; the server should return a 404 error instead of executing the file.
Hoe te verhelpen
Update naar versie 4.0.8, of een nieuwere gepatchte versie
Veelgestelde vragenwordt vertaald…
What is CVE-2026-32364 — LFI in Turbo Manager WordPress Plugin?
CVE-2026-32364 is a Local File Inclusion vulnerability in the Turbo Manager WordPress plugin, allowing authenticated users to execute arbitrary PHP code. It affects versions up to 4.0.8 and poses a significant security risk to WordPress sites.
Am I affected by CVE-2026-32364 in Turbo Manager WordPress Plugin?
You are affected if your WordPress site uses the Turbo Manager plugin and is running version 4.0.8 or earlier. Check your plugin version immediately to determine your exposure.
How do I fix CVE-2026-32364 in Turbo Manager WordPress Plugin?
Upgrade the Turbo Manager plugin to version 4.0.8 or later to resolve the vulnerability. If immediate upgrade is not possible, implement WAF rules and restrict file upload permissions as temporary mitigations.
Is CVE-2026-32364 being actively exploited?
While not currently listed on KEV, the ease of exploitation suggests a high likelihood of active exploitation. Monitor security advisories and threat intelligence for updates.
Where can I find the official Turbo Manager advisory for CVE-2026-32364?
Refer to the official Turbo Manager plugin website and WordPress.org plugin repository for the latest security advisory and update information regarding CVE-2026-32364.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Scan nu uw WordPress project — geen account
Upload een manifest (composer.lock, package-lock.json, WordPress pluginlijst…) of plak uw componentenlijst. U ontvangt direct een kwetsbaarheidsrapport. Een bestand uploaden is slechts het begin: met een account krijgt u continue monitoring, Slack/e-mail alerts, multi-project en white-label rapporten.
Sleep uw afhankelijkheidsbestand hierheen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...