Bonbon WordPress Theme CVE-2026-28030
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Bonbon bonbon allows PHP Local File Inclusion.This issue affects Bonbon: from n/a through <= 1.6.
AnalysisAI
Local file inclusion in ThemeREX Bonbon WordPress theme through version 1.6 enables remote attackers to read arbitrary files from the web server filesystem and potentially execute PHP code. Reported by Patchstack audit team with a 0.15% EPSS score (low exploitation probability), this vulnerability allows unauthenticated network-based attacks despite high complexity requirements. No active exploitation confirmed via CISA KEV, though the LFI attack pattern is well-understood by attackers. PHP-based themes with improper include/require statement controls are common attack surfaces in WordPress environments.
Technical ContextAI
This is a PHP Local File Inclusion (LFI) vulnerability caused by improper control of filename parameters in include or require statements, classified under CWE-98. The Bonbon WordPress theme, developed by ThemeREX, fails to properly sanitize user-supplied input before using it in file inclusion functions. In PHP applications, when user-controllable data is passed directly to include(), require(), include_once(), or require_once() functions without adequate validation, attackers can manipulate file paths to access files outside the intended directory. While tagged as LFI, the CWE-98 classification 'PHP Remote File Inclusion' suggests potential for both local and remote file inclusion depending on PHP configuration settings like allow_url_include. The vulnerability exists in theme code rather than WordPress core, affecting sites using Bonbon versions up to and including 1.6.
Affected ProductsAI
ThemeREX Bonbon WordPress theme versions from earliest available release through version 1.6 are confirmed vulnerable based on Patchstack database records. The vulnerability exists in the theme's PHP code handling file inclusion operations. WordPress installations using Bonbon theme version 1.6 or earlier are at risk. No CPE identifiers provided in available data. Vendor advisory and detailed technical analysis available at Patchstack database reference link. Organizations should inventory WordPress sites to identify any installations using the Bonbon theme and check active theme version via WordPress admin dashboard under Appearance > Themes.
RemediationAI
Update ThemeREX Bonbon theme to version 1.6.1 or later if a patched version has been released by the vendor. Check the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Theme/bonbon/vulnerability/wordpress-bonbon-theme-1-6-local-file-inclusion-vulnerability for updated patch information and vendor response. If no patch is available or immediate update is not feasible, implement the following compensating controls: Disable the Bonbon theme and switch to a maintained alternative WordPress theme until patches are available. If the theme must remain active, implement Web Application Firewall (WAF) rules to block requests containing directory traversal sequences (../, ..../, %2e%2e%2f, etc.) in URL parameters and POST data, though this may break legitimate theme functionality if file paths are used in normal operations. Restrict PHP file inclusion capabilities by ensuring allow_url_include is set to Off in php.ini configuration, preventing remote file inclusion escalation (note: this is typically disabled by default in modern PHP but should be verified). Review web server access logs for suspicious requests containing file path manipulation attempts targeting the theme directory (typically /wp-content/themes/bonbon/). Each mitigation carries trade-offs: theme switching disrupts site appearance and may require redesign work; WAF rules risk false positives blocking legitimate requests; PHP configuration changes are server-wide and require hosting provider access.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-98 – PHP Remote File Inclusion
View allShare
External POC / Exploit Code
Leaving vuln.today