Skip to main content
CVE-2026-28085 HIGH This Week

Local file inclusion in ThemeREX Mahogany WordPress theme versions through 2.9 enables remote unauthenticated attackers to read arbitrary files from the web server filesystem via manipulated PHP include/require statements. While classified as high-severity (CVSS 8.1), real-world exploitation risk appears moderate given the EPSS score of 0.15% (36th percentile) and high attack complexity rating. No active exploitation or public exploit code identified at time of analysis. Patchstack security audit identified and disclosed this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28084 HIGH This Week

PHP Local File Inclusion in ThemeREX Bazinga theme for WordPress (versions ≤1.1.9) allows remote unauthenticated attackers to include and execute arbitrary local files via improper filename control in require/include statements. Despite high CVSS 8.1 severity, EPSS exploitation probability is low (0.15%, 36th percentile), and no active exploitation or public POC has been identified at time of analysis. Patchstack database reports this as both a local file inclusion vector and potential information disclosure issue, suggesting exploitation could lead to code execution through PHP file inclusion or exposure of sensitive configuration data.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28081 HIGH This Week

Local file inclusion in the ThemeREX Windsor WordPress theme allows remote attackers to include and execute arbitrary PHP files on the server through improper filename control. Affects all versions through 2.5.0. Despite CVSS 8.1 (High), EPSS indicates low exploitation probability (0.15%, 36th percentile), suggesting limited attacker interest. No active exploitation confirmed via CISA KEV at time of analysis. Patchstack database lists this vulnerability with PHP and information disclosure tags, indicating potential for data exfiltration beyond code execution.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28079 HIGH This Week

Local File Inclusion in Conquerors WordPress theme 1.2.13 and earlier enables remote attackers to read arbitrary files from the server filesystem, potentially exposing configuration files, credentials, and sensitive data. Despite a CVSS score of 8.1, EPSS exploitation probability is low (0.15%, 36th percentile) with no confirmed active exploitation or public POC at time of analysis. However, the network-accessible attack vector with no authentication requirement makes this a priority for sites running the affected theme.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28077 HIGH This Week

Local file inclusion in ThemeREX Vapester WordPress theme versions ≤1.1.10 allows remote unauthenticated attackers to read arbitrary files from the web server, potentially exposing configuration files, credentials, and sensitive application data. Despite high CVSS score of 8.1, EPSS probability of 0.15% (36th percentile) suggests limited observed exploitation attempts. No active exploitation confirmed by CISA KEV, though Patchstack database listing indicates vulnerability is known to security researchers.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28069 HIGH This Week

Local file inclusion in ThemeREX Le Truffe WordPress theme versions up to 1.1.7 enables remote attackers to read arbitrary files from the web server without authentication. While CVSS scores 8.1 (High), EPSS exploitation probability is low (0.15%, 36th percentile) with no confirmed active exploitation. The vulnerability stems from improper filename control in PHP include/require statements, allowing path traversal to access sensitive server files. No public exploit code identified at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28068 HIGH This Week

Local File Inclusion in ThemeREX Rhythmo WordPress theme through version 1.3.4 allows remote unauthenticated attackers to read arbitrary files on the server and potentially achieve remote code execution through log file poisoning or PHP wrapper exploitation. Despite network attack vector (AV:N) and high impact ratings (C:H/I:H/A:H), EPSS probability remains low at 0.15%, and no active exploitation has been confirmed in CISA KEV. Attack complexity is rated HIGH (AC:H), indicating specific conditions or timing required for successful exploitation.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28067 HIGH This Week

Local File Inclusion vulnerability in ThemeREX Bassein WordPress theme versions up to 1.0.15 allows remote unauthenticated attackers to include and execute arbitrary PHP files on the server via improper filename handling. Despite CVSS 8.1 High severity, EPSS exploitation probability is only 0.15% (36th percentile), suggesting limited attacker interest. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis. Patchstack advisory indicates this is a PHP file inclusion flaw affecting theme installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28066 HIGH This Week

Local file inclusion in ThemeREX Legrand WordPress theme versions ≤2.17 allows remote attackers to read arbitrary files from the server filesystem through improper filename validation in PHP include/require statements. Despite high CVSS 8.1, EPSS exploitation probability is low (0.15%, 36th percentile) with no confirmed active exploitation or public exploit code. Reported by Patchstack security research team, this represents a moderate real-world risk primarily for installations where attackers can control file path parameters.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28065 HIGH This Week

Local file inclusion in ThemeREX Eject WordPress theme versions up to 2.17 enables remote attackers to read arbitrary files on the server or execute PHP code without authentication. Despite high CVSS 8.1 severity, EPSS exploitation probability remains low at 0.15% (36th percentile) with no confirmed active exploitation. Patchstack security audit identified the vulnerability as a PHP file inclusion flaw allowing information disclosure through improper filename control in include/require statements.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28064 HIGH This Week

Local file inclusion in ThemeREX Edge Decor WordPress theme through version 2.2 allows remote attackers to read arbitrary files on the server and potentially execute code via improper control of PHP include/require statements. Despite a CVSS score of 8.1, real-world exploitation risk appears moderate with EPSS at 0.15% (36th percentile) and no evidence of active exploitation or public POC. Attack complexity is rated high (AC:H), suggesting exploitation requires specific conditions beyond default configuration.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28063 HIGH This Week

Local file inclusion in ThemeREX Asia Garden WordPress theme (versions ≤1.3.1) allows remote attackers to include and execute arbitrary PHP files on the server. Despite a CVSS base score of 8.1 (High), the EPSS score of 0.15% (36th percentile) indicates low observed exploitation probability in the wild. The vulnerability requires high attack complexity (AC:H) but no authentication (PR:N), enabling unauthenticated remote exploitation under specific conditions. Patchstack database confirmed this LFI vulnerability affecting WordPress installations using this theme.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28062 HIGH This Week

Local file inclusion in ThemeREX Happy Baby WordPress theme versions ≤1.2.12 allows remote unauthenticated attackers to read arbitrary files from the web server and potentially execute PHP code. Patchstack reported this vulnerability (CWE-98) affecting file inclusion controls, though EPSS probability remains low at 0.15% with no confirmed active exploitation. The CVSS vector indicates network-based attack with high complexity but no authentication requirement, enabling confidentiality, integrity, and availability compromise.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28061 HIGH This Week

Local file inclusion in ThemeREX Tiger Claw WordPress theme allows remote attackers to read arbitrary files from the web server and potentially execute code. Affects versions up to and including 1.1.14. Despite a high CVSS score of 8.1, the EPSS probability is low at 0.15% (36th percentile), suggesting limited exploitation attempts observed to date. No active exploitation confirmed by CISA KEV, though the vulnerability was reported by Patchstack's security research team.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28060 HIGH This Week

Local file inclusion in ThemeREX S.King WordPress theme through version 1.5.3 allows remote unauthenticated attackers to read arbitrary files on the server and potentially execute PHP code via path manipulation in include/require statements. Despite the 8.1 CVSS score reflecting high severity, EPSS exploitation probability is low (0.15%, 36th percentile) and no active exploitation or public POC has been reported. Patchstack audit team disclosed this vulnerability affecting WordPress deployments using this theme.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28059 HIGH This Week

Local File Inclusion (LFI) vulnerability in ThemeREX Dermatology Clinic WordPress theme versions ≤1.4.3 allows remote attackers to include and execute arbitrary PHP files on the server. Despite CVSS 8.1, EPSS score of 0.15% (36th percentile) indicates low probability of mass exploitation. Patchstack database confirms the vulnerability but no CISA KEV listing or public exploit code identified at time of analysis, suggesting limited real-world targeting of this WordPress theme.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28058 HIGH This Week

Local file inclusion in ThemeREX Dixon WordPress theme through version 1.4.2.1 allows remote attackers to read arbitrary files from the server filesystem without authentication. Despite high attack complexity (AC:H), this vulnerability enables unauthorized access to sensitive configuration files, credentials, and potentially source code. EPSS score of 0.15% (36th percentile) indicates low probability of mass exploitation, consistent with targeting of a specific premium WordPress theme. No active exploitation confirmed (not in CISA KEV), but Patchstack public disclosure increases attack surface visibility.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28057 HIGH This Week

Local file inclusion in ThemeREX Mandala WordPress theme versions ≤2.8 allows remote unauthenticated attackers to read arbitrary server files and potentially execute PHP code through improper filename control in include/require statements. Despite a CVSS score of 8.1, the EPSS probability remains low (0.15%, 36th percentile), suggesting limited attacker interest or exploitation barriers. No active exploitation or public proof-of-concept has been identified, and the vulnerability requires high attack complexity (AC:H), indicating specific conditions must be met for successful exploitation.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28056 HIGH This Week

Local file inclusion in MCKinney's Politics WordPress theme versions ≤1.2.8 allows remote attackers to read arbitrary files on the server via path traversal in include/require statements. Despite the high CVSS score (8.1), EPSS probability is low (0.15%, 36th percentile) and no active exploitation is documented. Patchstack has cataloged this as a confirmed vulnerability affecting the ThemeREX-developed WordPress theme, enabling information disclosure through improper input validation in PHP file inclusion functions.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28055 HIGH This Week

Local file inclusion in the M.Williamson WordPress theme through version 1.2.11 enables remote attackers to read arbitrary files from the server filesystem without authentication. Despite high-complexity exploitation barriers (CVSS AC:H), this vulnerability carries an 8.1 CVSS score due to complete compromise of confidentiality and integrity if successfully exploited. EPSS score of 0.15% (36th percentile) suggests low probability of mass exploitation. No active exploitation confirmed via CISA KEV, though Patchstack database inclusion indicates researcher discovery and analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28054 HIGH This Week

Local file inclusion in Legal Stone WordPress theme 1.2.11 and earlier allows remote attackers to read arbitrary files and potentially execute malicious code through improper filename control in PHP include/require statements. Exploitation probability remains low (EPSS 0.15%, 36th percentile) with no confirmed active exploitation, though the network-accessible attack vector and lack of authentication requirements present material risk for sites using this theme. Patchstack database reports this vulnerability affecting all versions through 1.2.11.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28053 HIGH This Week

Local file inclusion in ThemeREX Miller WordPress theme through version 1.3.3 allows remote unauthenticated attackers to read arbitrary files and potentially execute malicious code via improper PHP include/require statement handling. CVSS rates this 8.1 (High) but EPSS exploitation probability is low at 0.15% (36th percentile), indicating targeted rather than widespread exploitation risk. Patchstack has documented this vulnerability but no CISA KEV listing exists, suggesting no confirmed active exploitation campaigns at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28052 HIGH This Week

Local file inclusion in ThemeREX Peter Mason WordPress theme versions up to 1.4.5 allows remote unauthenticated attackers to include and execute arbitrary PHP files from the server's filesystem. The vulnerability stems from improper validation of file paths in include/require statements (CWE-98), enabling attackers to read sensitive files, execute malicious code, or escalate privileges. EPSS score of 0.15% (36th percentile) indicates relatively low observed exploitation probability, and no active exploitation has been confirmed via CISA KEV. Patchstack security research identified this flaw, suggesting security researchers are aware but widespread targeting is not yet evident.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28051 HIGH This Week

Local file inclusion in ThemeREX Yacht Rental theme versions through 2.6 enables remote attackers to read arbitrary files on the web server without authentication. The vulnerability stems from improper validation of include/require statements, classified as CWE-98 (PHP Remote File Inclusion). While CVSS scores 8.1 (High), the low EPSS score (0.15%, 36th percentile) suggests minimal observed exploitation activity. Patchstack audit team identified and reported this WordPress theme vulnerability, which affects default configurations requiring no special prerequisites beyond network access to the WordPress installation.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28050 HIGH This Week

Local file inclusion in ThemeREX Beacon WordPress theme versions ≤2.24 allows remote attackers to read arbitrary files from the web server through improper filename control in PHP include/require statements. Despite high-attack-complexity requirements (CVSS AC:H), this enables unauthenticated access to sensitive configuration files, credentials, and application source code. No public exploit identified at time of analysis, with low EPSS score (0.15%, 36th percentile) suggesting minimal observed exploitation activity. Patchstack advisory available but patched release version not independently confirmed.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28049 HIGH This Week

Local file inclusion in the Police Department WordPress theme through version 2.17 allows remote attackers to read arbitrary files on the server and potentially achieve remote code execution through file disclosure and log poisoning techniques. Discovered by Patchstack's audit team, this vulnerability carries an EPSS score of 0.15%, indicating low probability of widespread exploitation despite its network-accessible attack vector. No public exploit code or active exploitation has been identified at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28048 HIGH This Week

Local file inclusion in FlashMart theme versions ≤2.0.15 allows remote attackers to read arbitrary files on the server through improper filename validation in PHP include/require statements. With CVSS 8.1 (High) and CWE-98 classification, attackers can potentially access sensitive configuration files, credentials, and application source code. EPSS exploitation probability is low (0.15%, 36th percentile), indicating limited observed exploitation activity. Patchstack vulnerability database confirms the flaw affects the WordPress theme variant.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28047 HIGH This Week

Local file inclusion in Magentech Victo WordPress theme through version 1.4.16 allows remote attackers to read arbitrary server files and potentially execute code. Despite CWE-98 classification as 'Remote File Inclusion', technical evidence and Patchstack tagging confirm local file inclusion behavior. EPSS score of 0.15% (36th percentile) indicates low observed exploitation probability. No CISA KEV listing or public POC identified at time of analysis, though Patchstack reporting suggests researcher awareness of exploitation technique.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28046 HIGH This Week

Local file inclusion in ThemeREX Law Office WordPress theme versions up to 3.3.0 allows remote unauthenticated attackers to read arbitrary files from the server through improper PHP include/require controls. With EPSS score of 0.15%, this represents a moderate real-world exploitation probability. The vulnerability enables information disclosure attacks against WordPress sites using the affected theme, potentially exposing configuration files, credentials, and sensitive application data.

PHP LFI Microsoft Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28045 HIGH This Week

Local File Inclusion in N7 Golf Club WordPress theme through version 2.16.0 allows remote attackers to read arbitrary server files via crafted PHP file path manipulation. Despite CVSS 8.1, exploitation requires specific attack chain complexity (AC:H). EPSS 0.15% indicates minimal active exploitation observed. No CISA KEV listing or public POC identified at time of analysis, suggesting limited attacker interest in this WordPress theme vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28041 HIGH This Week

Local File Inclusion in AncoraThemes Grit WordPress theme (versions ≤1.0.1) allows remote attackers to include arbitrary local files through improper validation of PHP include/require statements. Attack requires high complexity (CVSS AC:H) but no authentication, enabling unauthenticated attackers to achieve high confidentiality, integrity, and availability impact. EPSS score of 0.15% (36th percentile) indicates relatively low mass exploitation probability despite network attack vector. Patchstack audit team identified this vulnerability affecting PHP-based file operations with potential for information disclosure.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28035 HIGH This Week

Local file inclusion in ThemeREX Printy theme versions through 1.8 allows remote attackers to read arbitrary files from the web server filesystem and potentially achieve code execution. Despite high CVSS 8.1, EPSS exploitation probability is low at 0.15% (36th percentile), suggesting limited attacker interest. Patchstack has published vulnerability details, but no public exploit code or active exploitation has been identified at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28034 HIGH This Week

Local file inclusion in ThemeREX Progress WordPress theme version 1.2 and earlier allows remote attackers to read arbitrary files from the web server filesystem via PHP file inclusion flaws. Despite the 8.1 CVSS score, EPSS probability is low (0.15%, 36th percentile), indicating limited real-world exploitation activity. No CISA KEV listing confirms this remains a lower-priority vulnerability despite network reachability. Patchstack database identifies this as exploitable for information disclosure through local file access.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28033 HIGH This Week

Local file inclusion in ThemeREX Edifice WordPress theme through version 1.8 allows remote attackers to read arbitrary files on the server and potentially execute PHP code by manipulating file inclusion parameters. Exploitation requires bypassing a high attack complexity barrier (AC:H) without authentication, making this a critical vulnerability for websites using affected versions. EPSS score of 0.15% indicates minimal observed exploitation activity in the wild, and no CISA KEV listing exists at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28032 HIGH This Week

Local file inclusion in ThemeREX Tuning WordPress theme versions ≤1.3 enables remote attackers to read arbitrary files and potentially achieve code execution through PHP file inclusion mechanisms. Despite the high CVSS score (8.1), exploitation probability remains low (EPSS 0.15%, 36th percentile) and no active exploitation has been confirmed. Patchstack vulnerability database identifies this as affecting the Tuning theme through version 1.3, with the attack requiring high complexity network-based exploitation without authentication or user interaction.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28031 HIGH This Week

Local file inclusion in ThemeREX Invetex WordPress theme versions ≤2.18 allows remote attackers to include and execute arbitrary PHP files from the server's filesystem, potentially leading to remote code execution, credential theft, or full site compromise. EPSS probability of 0.15% indicates relatively low observed exploitation despite network attack vector. Patchstack security audit identified the vulnerability in PHP file handling routines where inadequate validation enables path traversal to sensitive files.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28030 HIGH This Week

Local file inclusion in ThemeREX Bonbon WordPress theme through version 1.6 enables remote attackers to read arbitrary files from the web server filesystem and potentially execute PHP code. Reported by Patchstack audit team with a 0.15% EPSS score (low exploitation probability), this vulnerability allows unauthenticated network-based attacks despite high complexity requirements. No active exploitation confirmed via CISA KEV, though the LFI attack pattern is well-understood by attackers. PHP-based themes with improper include/require statement controls are common attack surfaces in WordPress environments.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28029 HIGH This Week

Local file inclusion in ThemeREX EmojiNation WordPress theme versions through 1.0.12 allows remote attackers to read arbitrary files on the web server without authentication. Despite a CVSS score of 8.1, EPSS probability of 0.15% (36th percentile) suggests limited real-world exploitation activity. Patchstack database reports this as a PHP local file inclusion vulnerability with information disclosure impact, indicating attackers can access sensitive configuration files, credentials, or source code to facilitate subsequent attacks.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28028 HIGH This Week

Local file inclusion vulnerability in ThemeREX MoneyFlow WordPress theme version 1.0 and earlier enables remote attackers to read arbitrary files from the server filesystem and potentially execute PHP code. Reported by Patchstack security researchers, this vulnerability exploits improper validation of file paths in PHP include/require statements. With EPSS exploitation probability at 0.15% (36th percentile), widespread exploitation is not yet observed, though the network-accessible attack vector combined with high confidentiality, integrity, and availability impacts warrants immediate patching for sites using this theme.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28027 HIGH This Week

Local file inclusion in ThemeREX Kayon WordPress theme versions through 1.3 enables remote attackers to read arbitrary files from the web server filesystem and potentially execute PHP code. Despite network-reachable attack vector (CVSS AV:N), exploitation requires high complexity conditions (AC:H) without authentication, resulting in a moderate EPSS score of 0.15% (36th percentile). Patchstack database lists this as an actively tracked vulnerability affecting WordPress installations, though no CISA KEV listing indicates limited widespread exploitation at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28026 HIGH This Week

Local file inclusion in the Motorix WordPress theme versions 1.6 and earlier permits remote attackers to include and execute arbitrary PHP files on the server, despite high attack complexity. The vulnerability stems from improper validation of file paths in include/require statements. With EPSS exploitation probability at 0.15% (low percentile 36%), this appears to be a targeted WordPress theme vulnerability rather than widespread attack vector, though the CVSS score of 8.1 reflects the potential for complete system compromise if successfully exploited.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28025 HIGH This Week

Local file inclusion in ThemeREX Stargaze WordPress theme versions through 1.5 allows remote unauthenticated attackers to read arbitrary files on the server and potentially execute malicious code. Reported by Patchstack security audit team. EPSS probability of 0.15% suggests low widespread exploitation likelihood, though network-accessible vector and high impact ratings warrant attention for sites using this theme. No active exploitation confirmed via CISA KEV at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28024 HIGH This Week

Local file inclusion in axiomthemes Helion WordPress theme through version 1.1.12 enables remote attackers to read arbitrary files and potentially execute malicious code through improper filename validation in PHP include/require statements. While CVSS scores 8.1 (High) with network vector and no authentication required, attack complexity is rated High and EPSS shows only 0.15% exploitation probability (36th percentile), suggesting limited real-world weaponization. The CWE-98 classification indicates classic PHP file inclusion vulnerabilities where attacker-controlled input influences file paths in include() or require() functions. Patchstack database lists this as both LFI and information disclosure, indicating read access is confirmed while remote code execution depends on exploitation chain completeness.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28023 HIGH This Week

Local File Inclusion (LFI) in ThemeREX Nuts WordPress theme versions through 1.10 allows remote attackers to read arbitrary files from the web server filesystem without authentication. While CVSS rates this 8.1 High, EPSS exploitation probability is low (0.15%, 36th percentile), suggesting limited active targeting. No CISA KEV listing or public exploit code identified at time of analysis, indicating this remains a theoretical risk requiring specific attack conditions despite the network-accessible vector.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28022 HIGH This Week

Local File Inclusion in ThemeREX Foodie WordPress theme through version 1.14 allows remote unauthenticated attackers to read arbitrary files on the server and potentially execute malicious code. Despite the high CVSS score of 8.1, real-world exploitation likelihood remains low (EPSS 0.15%, 36th percentile) with no active exploitation confirmed at time of analysis. The vulnerability stems from improper validation of file paths in PHP include/require statements, classified as CWE-98.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28021 HIGH This Week

Local file inclusion in ThemeREX Craftis WordPress theme versions through 1.2.8 enables remote attackers to read arbitrary server files and potentially achieve remote code execution via PHP file inclusion. The vulnerability stems from improper validation of filenames in include/require statements, allowing traversal to sensitive files. EPSS score of 0.15% indicates low observed exploitation probability, and no active exploitation has been confirmed via CISA KEV. Patchstack has documented this vulnerability affecting all installations prior to version 1.2.9.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28020 HIGH This Week

Local file inclusion vulnerability in ThemeREX Chroma WordPress theme versions ≤1.11 allows remote attackers to read arbitrary files from the web server filesystem through improper filename validation in PHP include/require statements. Despite high CVSS 8.1, EPSS probability is low (0.15%, 36th percentile) and no active exploitation is confirmed. Patchstack has documented this vulnerability, indicating professional security researcher awareness and likely forthcoming vendor response.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28019 HIGH This Week

Local file inclusion in the Manoir WordPress theme version 1.11 and earlier allows remote unauthenticated attackers to read arbitrary files on the server through improper validation of file inclusion parameters. Despite the high CVSS score of 8.1, EPSS data indicates low real-world exploitation probability (0.15%, 36th percentile), suggesting this is likely a targeted risk rather than widespread threat. Patchstack database confirms the vulnerability exists but no active exploitation (KEV) or public proof-of-concept has been identified at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28018 HIGH This Week

Local file inclusion vulnerability in ThemeREX Global Logistics WordPress theme through version 3.20 allows remote attackers to include arbitrary local files without authentication. Exploitation requires high complexity but no user interaction. With EPSS score of 0.15% (36th percentile), real-world exploitation probability remains low despite theoretical remote attack vector and lack of authentication requirements. Vulnerability identified by Patchstack audit team with public advisory available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28017 HIGH This Week

ThemeREX Green Thumb plugin version 1.1.12 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filenames used in include/require statements, enabling file disclosure without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
Prev Page 4 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy