PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11426 WebFactory CVE debrief

The UnderConstructionPage PRO plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.76. This is due to the plugin accepting arbitrary local file paths in the template_thumbnail parameter and copying their contents into a publicly accessible uploads file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary files on the server, which can contain sensitive information. The vulnerability has a CVSS score of 6.5 (MEDIUM) and is considered a medium priority due to the potential for sensitive information disclosure.

Vendor
WebFactory
Product
Under Construction Page (Pro)
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-11
Original CVE updated
2026-07-11
Advisory published
2026-07-11
Advisory updated
2026-07-11

Who should care

Users of the UnderConstructionPage PRO plugin for WordPress, particularly those with sensitive information on their servers, should be aware of this vulnerability and take immediate action to protect themselves. This includes updating the plugin to the latest version, restricting access to the plugin's functionality, and monitoring server logs for suspicious file access attempts. Additionally, users should review their server configurations and file permissions to prevent exploitation.

Technical summary

The UnderConstructionPage PRO plugin for WordPress, version 5.76 and below, is vulnerable to Arbitrary File Read. The plugin accepts arbitrary local file paths in the template_thumbnail parameter, allowing authenticated attackers with Subscriber-level access and above to read arbitrary files on the server. These files can contain sensitive information, such as database credentials, system configurations, or other confidential data. The vulnerability is due to insufficient input validation and sanitization of the template_thumbnail parameter.

Defensive priority

Medium priority due to the potential for sensitive information disclosure and the relatively low complexity of exploitation.

Recommended defensive actions

  • Update the UnderConstructionPage PRO plugin to the latest version.
  • Restrict access to the plugin's functionality to prevent unauthorized file reads.
  • Monitor server logs for suspicious file access attempts.
  • Consider implementing additional security measures, such as web application firewalls.
  • Review server configurations and file permissions to prevent exploitation.
  • Perform a thorough review of server logs to detect potential exploitation attempts.
  • Implement a vulnerability management process to ensure timely patching of vulnerable plugins.

Evidence notes

The CVE record was published on 2026-07-11T02:16:17.287Z and has not been modified since then. The NVD entry is currently 6.5 (MEDIUM). The UnderConstructionPage PRO plugin for WordPress, version 5.76 and below, is vulnerable to Arbitrary File Read. The plugin accepts arbitrary local file paths in the template_thumbnail parameter, allowing authenticated attackers with Subscriber-level access and above to read arbitrary files on the server. These files can contain sensitive information. There is no evidence of exploitation in the wild, but defenders should verify the integrity of their server logs and monitor for suspicious file access attempts.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-11T02:16:17.287Z and has not been modified since then.