CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-11426

mediumCVSS 6.5covered by 1 sourcefirst seen 2026-07-11
The UnderConstructionPage PRO plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.76. This is due to the plugin accepting arbitrary local file paths in the template_thumbnail parameter and copying their contents into a publicly accessible uploads file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary files on the server, which can contain sensitive information.

⚡ Watch CVE-2026-11426

Get an email if CVE-2026-11426 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-11426

CVE.org record

Embed the live status

CVE-2026-11426 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-11426 status](https://www.csirts.com/badge/CVE-2026-11426)](https://www.csirts.com/cve/CVE-2026-11426)