{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39623", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:57:36.650Z", "datePublished": "2026-04-08T08:30:26.741Z", "dateUpdated": "2026-04-08T08:30:26.741Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "biolife", "product": "Biolife", "vendor": "kutethemes", "versions": [{"lessThanOrEqual": "3.2.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:38.408Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Biolife biolife allows PHP Local File Inclusion.<p>This issue affects Biolife: from n/a through <= 3.2.3.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Biolife biolife allows PHP Local File Inclusion.This issue affects Biolife: from n/a through <= 3.2.3."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:26.741Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/biolife/vulnerability/wordpress-biolife-theme-3-2-3-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Biolife theme <= 3.2.3 - Local File Inclusion vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Biolife biolife allows PHP Local File Inclusion.This issue affects Biolife: from n/a through <= 3.2.3."}], "id": "CVE-2026-39623", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:32.547", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/biolife/vulnerability/wordpress-biolife-theme-3-2-3-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.2.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Biolife", "source": "cna", "vendor": "kutethemes"}, "product": "biolife", "vendor": "kutethemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:38:54.921499+00:00", "value": {"mitigation_remediation": ["Update the Biolife theme to any version newer than 3.2.3.", "If an immediate update is not possible, modify the theme's code to use absolute paths or remove the vulnerable include functionality.", "Consider deploying a web application firewall to block or rate\u2011limit suspicious LFI requests."], "summary": {"action": "Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The Biolife theme for WordPress, supplied by kutethemes, is affected in all releases up to and including 3.2.3, as the vulnerability exists from the theme's initial release. Users running these versions should be aware that the flaw is present throughout that range.", "description_and_impact": "The CVE identifies an improper control of the filename used in PHP include/require statements within the Biolife theme, classified as CWE-98, allowing Local File Inclusion that can expose sensitive server files or enable code execution. The description states the issue permits PHP Local File Inclusion.", "risk_and_exploitability": "No CVSS score is available, EPSS is not reported, and the vulnerability is not in the KEV catalog. The description suggests that the issue can be triggered via crafted inputs into the theme's include logic, implying a remote web-facing attack vector. Without further data, the likelihood of exploitation cannot be precisely assessed."}}}}, "created": "2026-04-08T19:29:36.237210+00:00", "updated": "2026-04-08T19:41:52.877754+00:00", "vendors": ["kutethemes", "kutethemes$PRODUCT$biolife", "wordpress", "wordpress$PRODUCT$wordpress"]}