CVE-2026-39661 Magentech CVE debrief

Who should care

WordPress site administrators using Magentech SW Core plugin; security teams monitoring PHP application vulnerabilities; web application firewall operators; vulnerability management programs tracking WordPress ecosystem risks

Technical summary

The SW Core plugin for WordPress contains a PHP Local File Inclusion vulnerability in versions through 1.7.18. The flaw exists in the handling of filename parameters for PHP include/require statements without adequate validation. An attacker with low privileges can exploit this over the network to include arbitrary local files, potentially leading to sensitive information disclosure, code execution, or complete system compromise. The attack requires high complexity to exploit but yields high impact across confidentiality, integrity, and availability dimensions.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade SW Core to a version newer than 1.7.18 if available from the vendor
• Review application code for unsafe include/require statements that accept user-controlled filenames
• Implement input validation and sanitization for all file path parameters
• Apply principle of least privilege to web server file system access
• Monitor for anomalous file access patterns in web application logs
• If patching is not immediately available, consider Web Application Firewall (WAF) rules to detect and block LFI attack patterns
• Review Patchstack advisory for additional technical details and verification of fixed versions

Evidence notes

Vulnerability classification sourced from NVD record with CVSS 3.1 scoring. CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program) confirmed via NVD weaknesses field. Vendor attribution to 'Magentech' and product 'SW Core' derived from CVE description and Patchstack reference. Version range 'n/a through 1.7.18' explicitly stated in CVE description. NVD status 'Deferred' noted in source metadata. No CISA KEV entry present.

Official resources