PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-39547 Select-Themes CVE debrief

CVE-2026-39547 is an Unauthenticated Local File Inclusion vulnerability in the Getaway theme for WordPress versions before 1.8. The vulnerability has a CVSS score of 8.1 and is classified as HIGH severity. It allows unauthenticated attackers to include local files, potentially leading to code execution, data exposure, or other malicious activities.

Vendor
Select-Themes
Product
Getaway
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

WordPress users who have installed the Getaway theme version 1.8 or earlier should be concerned about this vulnerability. Additionally, security teams and administrators responsible for maintaining WordPress installations with this theme should prioritize patching.

Technical summary

The vulnerability exists in the Getaway theme, affecting versions prior to 1.8. It is characterized as an Unauthenticated Local File Inclusion (LFI) vulnerability. This type of vulnerability allows an attacker to include files on a server through a web browser, potentially leading to code execution or data exposure. The Common Vulnerabilities and Exposures (CVE) score for this vulnerability is 8.1, indicating high severity. The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, which means the vulnerability can be exploited over the network (AV:N), requires high attack complexity (AC:H), does not require any privileges (PR:N), and has a high impact on confidentiality, integrity, and availability.

Defensive priority

High

Recommended defensive actions

  • Apply the patch or update to Getaway theme version 1.8 or later.
  • Review server logs for any suspicious file inclusion attempts.
  • Implement additional security measures such as web application firewalls (WAFs) to detect and prevent exploitation attempts.
  • Regularly update and patch WordPress themes and plugins.
  • Consider using security scanning tools to identify potential vulnerabilities.

Evidence notes

The CVE record was published on 2026-06-17T13:20:19.760Z and was last modified on 2026-06-17T14:44:26.397Z. The NVD entry is currently Deferred. The vulnerability was reported by [email protected].

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T13:20:19.760Z and has not been modified since then. The NVD entry is currently Deferred.