CVE-2026-7522: WordPress Advanced Database Cleaner RCE

CVE-2026-7522 Overview

CVE-2026-7522 is a Local File Inclusion (LFI) vulnerability in the Advanced Database Cleaner – Premium plugin for WordPress. The flaw affects all versions up to and including 4.1.0 and stems from improper handling of the template parameter. Authenticated users with Subscriber-level access or higher can include and execute arbitrary .php files on the server. Successful exploitation allows attackers to bypass access controls, read sensitive data, and achieve remote code execution when combined with file upload primitives. The vulnerability is classified under CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program.

Critical Impact

Authenticated Subscriber-level attackers can execute arbitrary PHP code on the underlying server, leading to full site compromise.

Affected Products

• Advanced Database Cleaner – Premium plugin for WordPress
• All versions up to and including 4.1.0
• Sites running the SigmaPlugin Advanced Database Cleaner Premium edition

Discovery Timeline

• 2026-05-20 - CVE-2026-7522 published to the National Vulnerability Database
• 2026-05-20 - Last updated in NVD database

Technical Details for CVE-2026-7522

Vulnerability Analysis

The vulnerability resides in how the Advanced Database Cleaner – Premium plugin processes the template parameter. The plugin uses this user-controlled value as part of a PHP include or require statement without sufficient validation or sanitization. An authenticated attacker can supply a crafted value that resolves to an arbitrary .php file on the file system. When the plugin includes the file, the PHP interpreter executes its contents in the WordPress application context.

Local File Inclusion in PHP applications often escalates to remote code execution. If an attacker can write PHP content to any readable path, such as through media uploads, log poisoning, or session files, the inclusion primitive triggers execution. The Subscriber-level privilege requirement is a low bar because WordPress sites frequently allow open registration for comments, memberships, or e-commerce.

Root Cause

The root cause is unsanitized user input flowing into a PHP file inclusion function. The plugin trusts the template request parameter and fails to enforce an allow-list of permitted template paths. This pattern matches [CWE-98], where dynamic filename construction in include, require, include_once, or require_once statements exposes the server to arbitrary file execution.

Attack Vector

The attack vector is network-based and requires authentication at the Subscriber role or higher. An attacker first obtains a low-privilege WordPress account, then issues a request to a vulnerable plugin endpoint with a malicious template value pointing at a .php file on disk. The plugin includes the file, and the PHP runtime executes any code within it. Refer to the Wordfence Vulnerability Advisory for additional technical context.

Detection Methods for CVE-2026-7522

Indicators of Compromise

• HTTP requests to plugin endpoints containing a template parameter with path traversal sequences such as ../ or absolute file paths ending in .php
• Unexpected PHP execution originating from uploaded media files, log files, or session files in wp-content/uploads
• New or modified PHP files in plugin and theme directories that do not match the official distribution
• Outbound connections from the web server to attacker-controlled infrastructure following authenticated Subscriber requests

Detection Strategies

• Inspect web server access logs for authenticated requests targeting Advanced Database Cleaner endpoints with suspicious template values
• Correlate Subscriber-level logins with subsequent administrative actions or file system changes on the host
• Enable PHP open_basedir restrictions and log violations to surface inclusion attempts outside the WordPress root
• Monitor WordPress wp_options and user role tables for unauthorized privilege changes that often follow LFI-to-RCE chains

Monitoring Recommendations

• Alert on creation of new PHP files within wp-content/uploads or other writable directories
• Track process lineage where the PHP-FPM or web server worker spawns shell, curl, wget, or python child processes
• Forward WordPress audit logs and web access logs to a centralized analytics platform for retroactive threat hunting
• Apply Web Application Firewall (WAF) rules that block path traversal patterns in query string and POST parameters

How to Mitigate CVE-2026-7522

Immediate Actions Required

• Update the Advanced Database Cleaner – Premium plugin to a version later than 4.1.0 as soon as a patched release is published by SigmaPlugin
• Audit existing WordPress user accounts and remove unused Subscriber-level accounts to reduce the authenticated attack surface
• Disable open user registration on sites that do not require it, and enforce strong authentication for all roles
• Review the file system for unauthorized PHP files in upload and cache directories

Patch Information

Review the SigmaPlugin Changelog and the SigmaPlugin Download Page for the latest fixed release. Apply the vendor update through the WordPress admin dashboard or by replacing the plugin directory with the patched version. Verify the plugin version after the update by checking the Plugins page in wp-admin.

Workarounds

• Deactivate and remove the Advanced Database Cleaner – Premium plugin until a fix is applied
• Restrict access to plugin administrative endpoints using web server access controls or a Web Application Firewall
• Configure PHP open_basedir to limit file inclusion to the WordPress installation directory
• Set allow_url_include = Off and allow_url_fopen = Off in php.ini to reduce inclusion-based attack paths

# Example php.ini hardening to limit file inclusion exposure
allow_url_include = Off
allow_url_fopen = Off
open_basedir = "/var/www/html:/tmp"