{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32537", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:24.777Z", "datePublished": "2026-03-25T16:15:10.746Z", "dateUpdated": "2026-03-25T20:08:46.372Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "visual-portfolio", "product": "Visual Portfolio, Photo Gallery & Post Grid", "vendor": "nK", "versions": [{"changes": [{"at": "3.5.2", "status": "unaffected"}], "lessThanOrEqual": "<= 3.5.1", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:41.734Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nK Visual Portfolio, Photo Gallery & Post Grid visual-portfolio allows PHP Local File Inclusion.<p>This issue affects Visual Portfolio, Photo Gallery & Post Grid: from n/a through <= 3.5.1.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nK Visual Portfolio, Photo Gallery & Post Grid visual-portfolio allows PHP Local File Inclusion.This issue affects Visual Portfolio, Photo Gallery & Post Grid: from n/a through <= 3.5.1."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:10.746Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/visual-portfolio/vulnerability/wordpress-visual-portfolio-photo-gallery-post-grid-plugin-3-5-1-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Visual Portfolio, Photo Gallery & Post Grid plugin <= 3.5.1 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:08:40.653172Z", "id": "CVE-2026-32537", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:08:46.372Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32537", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T20:08:40.653172Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:08:31.940Z"}}], "cna": {"title": "WordPress Visual Portfolio, Photo Gallery & Post Grid plugin <= 3.5.1 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "affected": [{"vendor": "nK", "product": "Visual Portfolio, Photo Gallery & Post Grid", "versions": [{"status": "affected", "changes": [{"at": "3.5.2", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 3.5.1"}], "packageName": "visual-portfolio", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:41.734Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/visual-portfolio/vulnerability/wordpress-visual-portfolio-photo-gallery-post-grid-plugin-3-5-1-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nK Visual Portfolio, Photo Gallery & Post Grid visual-portfolio allows PHP Local File Inclusion.This issue affects Visual Portfolio, Photo Gallery & Post Grid: from n/a through <= 3.5.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nK Visual Portfolio, Photo Gallery & Post Grid visual-portfolio allows PHP Local File Inclusion.<p>This issue affects Visual Portfolio, Photo Gallery & Post Grid: from n/a through <= 3.5.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:10.746Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32537", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:08:46.372Z", "dateReserved": "2026-03-12T11:12:24.777Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:15:10.746Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nK Visual Portfolio, Photo Gallery & Post Grid visual-portfolio allows PHP Local File Inclusion.This issue affects Visual Portfolio, Photo Gallery & Post Grid: from n/a through <= 3.5.1."}], "id": "CVE-2026-32537", "lastModified": "2026-03-25T21:16:46.153", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:17:07.427", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/visual-portfolio/vulnerability/wordpress-visual-portfolio-photo-gallery-post-grid-plugin-3-5-1-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.5.1]"}}], "enrichment": {"confidence": 84.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 84.0, "source": "matching"}]}, "original": {"product": "Visual Portfolio, Photo Gallery & Post Grid", "source": "cna", "vendor": "nK"}, "product": "visual_portfolio,_photo_gallery_&_post_grid", "vendor": "visualportfolio"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-26T00:04:35.832754+00:00", "value": {"mitigation_remediation": ["Upgrade the Visual Portfolio, Photo Gallery & Post Grid plugin to a version newer than 3.5.1, if such a release exists.", "If an update is not immediately possible, deactivate the plugin entirely to remove the local file inclusion path.", "Perform a file system audit to ensure that no files that could be referenced by the plugin remain accessible via the web root.", "Monitor the WordPress plugin repository or the vendor\u2019s update channel for a patch and apply it as soon as it becomes available."], "summary": {"action": "Patch Now", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "Any WordPress installation that has the Visual Portfolio, Photo Gallery & Post Grid plugin installed and running a version through 3.5.1 is impacted. The flaw exists in all releases from the plugin\u2019s earliest public version up to and including 3.5.1.", "description_and_impact": "The Visual Portfolio, Photo Gallery & Post Grid plugin contains an improper handling of file names supplied in PHP include/require statements. An attacker can supply a crafted path that causes the server to read or execute files from the local filesystem. This flaw can lead to the disclosure of sensitive data or arbitrary code execution within the context of the WordPress site, compromising confidentiality and integrity.", "risk_and_exploitability": "The severity score of 7.5 classifies the issue as high. No public exploits have been documented at the time of writing. The likely attack vector is through a publicly accessible interface or administrative setting that accepts file path input, allowing an attacker to trigger the inclusion of malicious or sensitive files. Full exploitation requires the attacker to have write or read access to the site\u2019s file system path specified by the plugin\u2019s code."}}}}, "created": "2026-03-26T11:34:53.300099+00:00", "updated": "2026-03-26T12:12:16.326796+00:00", "vendors": ["visualportfolio", "visualportfolio$PRODUCT$visual_portfolio,_photo_gallery_&_post_grid", "wordpress", "wordpress$PRODUCT$wordpress"]}