PatchSiren cyber security CVE debrief
CVE-2026-39547 Select-Themes CVE debrief
CVE-2026-39547 is an Unauthenticated Local File Inclusion vulnerability in the Getaway theme for WordPress versions before 1.8. The vulnerability has a CVSS score of 8.1 and is classified as HIGH severity. It allows unauthenticated attackers to include local files, potentially leading to code execution, data exposure, or other malicious activities.
- Vendor
- Select-Themes
- Product
- Getaway
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-17
Who should care
WordPress users who have installed the Getaway theme version 1.8 or earlier should be concerned about this vulnerability. Additionally, security teams and administrators responsible for maintaining WordPress installations with this theme should prioritize patching.
Technical summary
The vulnerability exists in the Getaway theme, affecting versions prior to 1.8. It is characterized as an Unauthenticated Local File Inclusion (LFI) vulnerability. This type of vulnerability allows an attacker to include files on a server through a web browser, potentially leading to code execution or data exposure. The Common Vulnerabilities and Exposures (CVE) score for this vulnerability is 8.1, indicating high severity. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, which means the vulnerability can be exploited over the network (AV:N), requires high attack complexity (AC:H), does not require any privileges (PR:N), and has a high impact on confidentiality, integrity, and availability.
Defensive priority
High
Recommended defensive actions
- Apply the patch or update to Getaway theme version 1.8 or later.
- Review server logs for any suspicious file inclusion attempts.
- Implement additional security measures such as web application firewalls (WAFs) to detect and prevent exploitation attempts.
- Regularly update and patch WordPress themes and plugins.
- Consider using security scanning tools to identify potential vulnerabilities.
Evidence notes
The CVE record was published on 2026-06-17T13:20:19.760Z and was last modified on 2026-06-17T14:44:26.397Z. The NVD entry is currently Deferred. The vulnerability was reported by [email protected].
Official resources
-
CVE-2026-39547 CVE record
CVE.org
-
CVE-2026-39547 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T13:20:19.760Z and has not been modified since then. The NVD entry is currently Deferred.