CVE-2026-32537 identifies a Local File Inclusion (LFI) vulnerability in the nK Visual Portfolio, Photo Gallery & Post Grid WordPress plugin, versions up to 3.5.1. The root cause is improper control over the filename parameter used in PHP include or require statements, which allows an attacker to manipulate the input to include arbitrary files from the server's filesystem. This can lead to disclosure of sensitive files such as configuration files, password files, or application source code. In some cases, if combined with other vulnerabilities or misconfigurations, it could enable remote code execution. The vulnerability arises because the plugin fails to properly sanitize or validate user-supplied input that determines which files are included. Although no public exploits are currently known, the nature of LFI vulnerabilities makes them attractive targets for attackers. The plugin is widely used in WordPress environments for managing portfolios and photo galleries, increasing the potential attack surface. The vulnerability was published on March 25, 2026, with no CVSS score assigned yet. The lack of authentication requirements and the ability to access sensitive files without user interaction increase the severity of this issue.

The impact of CVE-2026-32537 can be significant for organizations using the affected plugin. Successful exploitation can lead to unauthorized disclosure of sensitive information such as server configuration files, database credentials, or user data, compromising confidentiality. Attackers may also leverage this vulnerability to execute arbitrary code if they can include files containing malicious payloads, threatening system integrity and availability. This can result in website defacement, data breaches, or full server compromise. Organizations relying on this plugin for their WordPress sites, especially those hosting sensitive or business-critical content, face increased risk of reputational damage, regulatory penalties, and operational disruption. The vulnerability's ease of exploitation without authentication further elevates the threat level, making automated scanning and exploitation plausible. Although no active exploits are reported, the potential for rapid weaponization exists given the popularity of WordPress and the plugin's user base.

To mitigate CVE-2026-32537, organizations should immediately monitor for updates or patches released by the nK plugin developers and apply them promptly. In the absence of an official patch, administrators should consider temporarily disabling or removing the affected plugin to eliminate the attack vector. Implement strict input validation and sanitization on any parameters that influence file inclusion to prevent manipulation. Deploy Web Application Firewalls (WAFs) with rules specifically designed to detect and block LFI attack patterns targeting PHP include statements. Conduct regular security audits and code reviews of custom plugins or themes to identify similar vulnerabilities. Restrict file permissions on the server to limit access to sensitive files and directories, minimizing the impact of potential exploitation. Additionally, maintain comprehensive logging and monitoring to detect suspicious access attempts related to file inclusion. Educate development teams on secure coding practices to prevent recurrence of such vulnerabilities.