CVE-2026-32369 is a Local File Inclusion (LFI) vulnerability found in the RadiusTheme Medilink-Core WordPress theme, specifically in versions prior to 2.0.7. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements, allowing an attacker to manipulate the input and cause the application to include unintended local files. This can lead to disclosure of sensitive files such as configuration files, password files, or application source code. In some cases, LFI can be escalated to Remote Code Execution (RCE) if the attacker can include files containing malicious code or upload files to the server. The vulnerability does not require authentication, making it accessible to unauthenticated remote attackers. Although no public exploits are currently known, the flaw is critical because it targets a common PHP programming mistake that can be exploited with crafted HTTP requests. The affected product, Medilink-Core, is a WordPress theme component often used in healthcare-related websites, which may contain sensitive patient or organizational data. The lack of a CVSS score indicates this is a newly published vulnerability, but the technical details and nature of LFI vulnerabilities suggest a high risk. The vulnerability was reserved and published in March 2026 by Patchstack, a known vulnerability database for WordPress components.

The impact of CVE-2026-32369 on organizations can be severe. Exploitation can lead to unauthorized disclosure of sensitive files, including credentials, configuration files, and private data, compromising confidentiality. Attackers may leverage the vulnerability to execute arbitrary code on the server, leading to full system compromise, data theft, defacement, or use of the server as a pivot point for further attacks. Healthcare organizations using the Medilink-Core theme are particularly at risk due to the sensitive nature of their data and regulatory requirements such as HIPAA. The vulnerability's ease of exploitation without authentication increases the attack surface and risk of automated scanning and exploitation attempts. This can result in operational disruption, reputational damage, and legal consequences. Given the widespread use of WordPress and the popularity of RadiusTheme products, the scope of affected systems could be significant worldwide.

To mitigate CVE-2026-32369, organizations should immediately update Medilink-Core to version 2.0.7 or later once available. If an update is not immediately possible, implement web application firewall (WAF) rules to detect and block suspicious requests attempting to manipulate include or require parameters. Conduct a thorough code review of any customizations to ensure no user input is directly used in file inclusion functions without proper validation and sanitization. Employ the principle of least privilege on the web server to limit the impact of potential exploitation, such as restricting file system permissions to prevent access to sensitive files. Enable detailed logging and monitoring to detect anomalous access patterns indicative of LFI attempts. Additionally, consider isolating the web server environment and using security plugins that can detect and prevent file inclusion attacks. Regularly audit and scan WordPress installations for vulnerable components and maintain an incident response plan tailored to web application attacks.