CVE-2026-11426
The UnderConstructionPage PRO plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.76. This is due to the plugin accepting arbitrary local file paths in the template_thumbnail parameter and copying their contents into a publicly accessible uploads file. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary files on the server, which can contain sensitive information.
- No active-exploitation, high-EPSS, or public-exploit signals - routine patching cadence
Exploitation momentum
2 days of EPSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N- 11 Jul 2026Published to NVD
- 13 Jul 2026Last modified
ATT&CK techniques
1Techniques this CVE enables. Pills with a solid outline are high confidence - named directly in ATT&CK or Nuclei, or human-curated by CTID; the rest are inferred from the weakness type using MITRE's CVE Mapping Methodology and the CWE → CAPEC chain. Broad, generic-weakness guesses are filtered out. A small N× marks a technique that N independent sources agree on.
▤ Build a SIEM detection for these techniquesCAPEC attack patterns
5Attack patterns this CVE enables - the bridge from weakness to ATT&CK technique.