CVE-2026-32369 in Medilink-Core Plugin
Summary
by MITRE • 03/13/2026
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Medilink-Core medilink-core allows PHP Local File Inclusion.This issue affects Medilink-Core: from n/a through < 2.0.7.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/13/2026
The CVE-2026-32369 vulnerability represents a critical PHP Remote File Inclusion flaw within the RadiusTheme Medilink-Core plugin, specifically impacting versions prior to 2.0.7. This vulnerability stems from improper validation of filename parameters in include/require statements, creating a pathway for malicious actors to execute arbitrary code on affected systems. The issue manifests when user-controllable input is directly incorporated into PHP include directives without adequate sanitization or validation, allowing attackers to manipulate the inclusion process and potentially load malicious files from remote servers or local filesystem locations.
This vulnerability falls under the CWE-98 category, which specifically addresses improper control of filename for include or require statements, making it a direct descendant of the well-known PHP Local File Inclusion (LFI) attack vectors. The ATT&CK framework categorizes this as a technique within the privilege escalation and persistence domains, as attackers can leverage this flaw to execute arbitrary code and potentially establish backdoors within the target environment. The vulnerability exists due to insufficient input validation mechanisms that should have prevented untrusted user data from being processed as part of the include statement execution flow.
The operational impact of this vulnerability extends beyond simple code execution, as it can enable attackers to access sensitive system information, manipulate database contents, or even compromise the entire web application infrastructure. When exploited, the vulnerability allows for arbitrary file inclusion attacks that can lead to complete system compromise, data theft, or service disruption. The affected Medilink-Core plugin operates within WordPress environments, making it particularly dangerous as it can serve as a gateway for attackers to target the broader WordPress ecosystem and potentially move laterally within network infrastructure.
Mitigation strategies should focus on immediate patching to version 2.0.7 or later, which includes proper input validation and sanitization mechanisms. Additionally, implementing proper input validation at the application level, utilizing allowlists for acceptable filename patterns, and restricting file inclusion capabilities through PHP configuration settings can significantly reduce the attack surface. Network-level protections such as web application firewalls should be configured to monitor and block suspicious include statement patterns. The vulnerability highlights the importance of secure coding practices and proper parameter validation, particularly when dealing with dynamic file inclusion operations. Organizations should also implement regular security assessments and vulnerability scanning to identify similar issues within their PHP applications and ensure that all third-party plugins and themes undergo proper security review before deployment in production environments.