CVE-2026-32426 is a Local File Inclusion (LFI) vulnerability found in the themelexus Medilazar Core WordPress plugin, specifically in versions prior to 1.4.7. The vulnerability arises due to improper control over the filename parameter used in PHP include or require statements, allowing an attacker to manipulate the input to include arbitrary files from the server. This can lead to execution of malicious code, disclosure of sensitive information, or server compromise. The flaw is rooted in insufficient input validation and sanitization of user-supplied data before it is passed to PHP file inclusion functions. While the vulnerability is classified as a Local File Inclusion rather than Remote File Inclusion, it still poses a significant risk because attackers can leverage it to read sensitive files such as configuration files, password stores, or even escalate to remote code execution under certain conditions. No known public exploits have been reported yet, but the vulnerability is publicly disclosed and patched in version 1.4.7 of Medilazar Core. The plugin is used primarily in healthcare-related WordPress sites, which often handle sensitive patient data, increasing the risk profile. The absence of a CVSS score means severity must be inferred from the nature of the vulnerability, its impact on confidentiality, integrity, and availability, and the ease of exploitation without authentication.

The impact of CVE-2026-32426 on organizations can be severe, especially those in healthcare or sectors handling sensitive data. Exploitation can lead to unauthorized disclosure of confidential information, including patient records and internal configuration files. Attackers may also execute arbitrary code, potentially gaining full control over the affected server, leading to data tampering, service disruption, or use of the compromised server as a pivot point for further attacks. The vulnerability undermines the integrity and availability of the affected systems, potentially causing reputational damage, regulatory penalties, and operational downtime. Since the Medilazar Core plugin is integrated into WordPress sites, which are widely used globally, the scope of affected systems is significant. The lack of authentication requirement lowers the barrier for exploitation, increasing the threat level. Organizations relying on this plugin without timely patching are at heightened risk of targeted attacks or opportunistic exploitation.

To mitigate CVE-2026-32426, organizations should immediately update the Medilazar Core plugin to version 1.4.7 or later, where the vulnerability is patched. If updating is not immediately possible, implement strict input validation and sanitization on all parameters that influence file inclusion to prevent malicious file paths. Employ web application firewalls (WAFs) with rules designed to detect and block attempts to exploit file inclusion vulnerabilities. Conduct regular security audits and code reviews of custom plugins or themes to identify similar weaknesses. Limit file permissions on the server to restrict access to sensitive files and directories, minimizing the impact of any successful inclusion attempts. Additionally, monitor web server logs for suspicious requests that attempt directory traversal or unusual file inclusion patterns. Educate development teams on secure coding practices related to file handling in PHP to prevent recurrence.