Skip to main content

Bonbon WordPress Theme CVE-2026-28030

HIGH
PHP Remote File Inclusion (CWE-98)
2026-03-05 audit@patchstack.com
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Updated
Apr 23, 2026 - 01:10 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 06:16 nvd
HIGH 8.1

DescriptionCVE.org

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Bonbon bonbon allows PHP Local File Inclusion.This issue affects Bonbon: from n/a through <= 1.6.

AnalysisAI

Local file inclusion in ThemeREX Bonbon WordPress theme through version 1.6 enables remote attackers to read arbitrary files from the web server filesystem and potentially execute PHP code. Reported by Patchstack audit team with a 0.15% EPSS score (low exploitation probability), this vulnerability allows unauthenticated network-based attacks despite high complexity requirements. No active exploitation confirmed via CISA KEV, though the LFI attack pattern is well-understood by attackers. PHP-based themes with improper include/require statement controls are common attack surfaces in WordPress environments.

Technical ContextAI

This is a PHP Local File Inclusion (LFI) vulnerability caused by improper control of filename parameters in include or require statements, classified under CWE-98. The Bonbon WordPress theme, developed by ThemeREX, fails to properly sanitize user-supplied input before using it in file inclusion functions. In PHP applications, when user-controllable data is passed directly to include(), require(), include_once(), or require_once() functions without adequate validation, attackers can manipulate file paths to access files outside the intended directory. While tagged as LFI, the CWE-98 classification 'PHP Remote File Inclusion' suggests potential for both local and remote file inclusion depending on PHP configuration settings like allow_url_include. The vulnerability exists in theme code rather than WordPress core, affecting sites using Bonbon versions up to and including 1.6.

Affected ProductsAI

ThemeREX Bonbon WordPress theme versions from earliest available release through version 1.6 are confirmed vulnerable based on Patchstack database records. The vulnerability exists in the theme's PHP code handling file inclusion operations. WordPress installations using Bonbon theme version 1.6 or earlier are at risk. No CPE identifiers provided in available data. Vendor advisory and detailed technical analysis available at Patchstack database reference link. Organizations should inventory WordPress sites to identify any installations using the Bonbon theme and check active theme version via WordPress admin dashboard under Appearance > Themes.

RemediationAI

Update ThemeREX Bonbon theme to version 1.6.1 or later if a patched version has been released by the vendor. Check the Patchstack vulnerability database at https://patchstack.com/database/Wordpress/Theme/bonbon/vulnerability/wordpress-bonbon-theme-1-6-local-file-inclusion-vulnerability for updated patch information and vendor response. If no patch is available or immediate update is not feasible, implement the following compensating controls: Disable the Bonbon theme and switch to a maintained alternative WordPress theme until patches are available. If the theme must remain active, implement Web Application Firewall (WAF) rules to block requests containing directory traversal sequences (../, ..../, %2e%2e%2f, etc.) in URL parameters and POST data, though this may break legitimate theme functionality if file paths are used in normal operations. Restrict PHP file inclusion capabilities by ensuring allow_url_include is set to Off in php.ini configuration, preventing remote file inclusion escalation (note: this is typically disabled by default in modern PHP but should be verified). Review web server access logs for suspicious requests containing file path manipulation attempts targeting the theme directory (typically /wp-content/themes/bonbon/). Each mitigation carries trade-offs: theme switching disrupts site appearance and may require redesign work; WAF rules risk false positives blocking legitimate requests; PHP configuration changes are server-wide and require hosting provider access.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-28030 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy