PatchSiren cyber security CVE debrief
CVE-2026-7522 SigmaPlugin CVE debrief
The Advanced Database Cleaner – Premium plugin for WordPress contains a Local File Inclusion (LFI) vulnerability in versions up to and including 4.1.0. The flaw exists in the handling of the 'template' parameter, which fails to properly validate or sanitize user-supplied input before using it in file inclusion operations. This allows authenticated attackers with Subscriber-level privileges or higher to include and execute arbitrary PHP files present on the server. The vulnerability is classified as CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'). Successful exploitation enables attackers to bypass access controls, access sensitive data, or achieve arbitrary code execution if they can upload and include PHP files. The CVSS 3.1 score of 8.8 (High) reflects the significant impact on confidentiality, integrity, and availability, combined with low attack complexity and no required user interaction. The vulnerability was disclosed on 2026-05-20 and affects the premium version of the plugin developed by Sigmaplugin.
- Vendor
- SigmaPlugin
- Product
- Advanced Database Cleaner – Premium
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
WordPress site administrators using Advanced Database Cleaner – Premium plugin versions ≤4.1.0; security teams managing WordPress environments; hosting providers with shared WordPress infrastructure; organizations with Subscriber-level user registration enabled
Technical summary
The vulnerability stems from insufficient input validation on the 'template' parameter in the Advanced Database Cleaner – Premium WordPress plugin. Authenticated users with Subscriber+ privileges can manipulate this parameter to include arbitrary local PHP files, leading to code execution. The attack requires network access, low attack complexity, and low privileges, with no user interaction needed. Impact spans full confidentiality, integrity, and availability compromise of the affected WordPress instance.
Defensive priority
high
Recommended defensive actions
- Upgrade Advanced Database Cleaner – Premium to a version newer than 4.1.0 immediately
- Review and restrict Subscriber-level user accounts to minimum necessary privileges
- Implement Web Application Firewall (WAF) rules to detect and block LFI attempts targeting the 'template' parameter
- Audit server file permissions to prevent unauthorized PHP file uploads
- Review access logs for suspicious file inclusion patterns in plugin endpoints
- Disable or remove the plugin if patching is not immediately feasible and functionality is not critical
Evidence notes
Vulnerability confirmed via Wordfence security advisory. Vendor changelog and product download pages referenced as supporting documentation. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. CWE-98 identified as primary weakness.
Official resources
2026-05-20