PatchSiren cyber security CVE debrief
CVE-2026-48972 SeedProd LLC CVE debrief
A PHP Local File Inclusion (LFI) vulnerability exists in SeedProd Pro, a WordPress plugin developed by SeedProd LLC. The vulnerability stems from improper control of filenames in include/require statements (CWE-98), allowing attackers with low privileges to include and execute arbitrary local files on the server. This can lead to information disclosure, code execution, or complete system compromise depending on server configuration. The issue affects all versions prior to 6.19.5. The vulnerability was disclosed on 2026-05-27 and carries a HIGH severity CVSS 3.1 score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). No known exploitation in ransomware campaigns has been reported.
- Vendor
- SeedProd LLC
- Product
- SeedProd Pro
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
WordPress site administrators using SeedProd Pro plugin; security teams managing WordPress deployments; managed service providers hosting WordPress environments; compliance teams tracking HIGH severity web application vulnerabilities
Technical summary
The vulnerability is classified as CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates network attack vector with high attack complexity, requiring low privileges but no user interaction. Successful exploitation yields high impact across confidentiality, integrity, and availability. The attack complexity (AC:H) suggests exploitation may require specific conditions or bypass techniques. Local File Inclusion vulnerabilities in WordPress plugins typically occur when user-supplied input is used to construct file paths for include/require statements without proper sanitization or validation.
Defensive priority
HIGH
Recommended defensive actions
- Update SeedProd Pro to version 6.19.5 or later immediately
- Review web server logs for suspicious file inclusion patterns targeting wp-content/plugins/seedprod-coming-soon-pro-5/
- Implement Web Application Firewall (WAF) rules to block LFI attack patterns
- Apply principle of least privilege to WordPress user accounts
- Enable PHP open_basedir restrictions to limit file system access
- Consider file integrity monitoring for critical WordPress core and plugin files
Evidence notes
Vulnerability confirmed via NVD with CVSS vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. Patchstack reference provides technical details. Vendor attribution to SeedProd LLC based on CVE description. CPE criteria not yet available in NVD record (status: Deferred).
Official resources
-
CVE-2026-48972 CVE record
CVE.org
-
CVE-2026-48972 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
2026-05-27