Local File Inclusion Vulnerability in Advanced Database Cleaner Plugin for WordPress
CVE-2026-7522

8.8HIGH

Key Information:

Vendor

WordPress
Status
Advanced Database Cleaner – Premium
Vendor
CVE Published:
20 May 2026

What is CVE-2026-7522?

The Advanced Database Cleaner plugin for WordPress is susceptible to Local File Inclusion through the 'template' parameter in versions up to 4.1.0. This vulnerability allows authenticated users with Subscriber-level access and above to include and execute arbitrary PHP files on the server. As a result, it may enable attackers to bypass access controls, extract sensitive information, or execute arbitrary PHP code, posing significant security risks to affected websites.

Affected Version(s)

Advanced Database Cleaner – Premium 0 <= 4.1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://sigmaplugin.com/downloads/wordpress-advanced-data...
https://docs.sigmaplugin.com/article/97-advanced-database...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Nguyen Ngoc Duc
.