Police Department CVE-2026-28049
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionCVE.org
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Police Department police-department allows PHP Local File Inclusion.This issue affects Police Department: from n/a through <= 2.17.
AnalysisAI
Local file inclusion in the Police Department WordPress theme through version 2.17 allows remote attackers to read arbitrary files on the server and potentially achieve remote code execution through file disclosure and log poisoning techniques. Discovered by Patchstack's audit team, this vulnerability carries an EPSS score of 0.15%, indicating low probability of widespread exploitation despite its network-accessible attack vector. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
This vulnerability stems from improper validation of file paths in PHP include/require statements within the Police Department WordPress theme by ThemeREX. Classified as CWE-98 (Improper Control of Filename for Include/Require Statement), the flaw allows attackers to manipulate file path parameters to include local files outside the intended directory structure. While labeled 'PHP Remote File Inclusion' in the description, the tags and Patchstack reference confirm this is actually Local File Inclusion (LFI). The distinction matters: LFI reads server-local files, while RFI executes remote code directly. In WordPress themes, LFI vulnerabilities typically occur in template loaders, AJAX handlers, or custom routing logic that improperly sanitizes user-supplied file paths before passing them to include(), require(), or related functions.
Affected ProductsAI
The vulnerability affects the Police Department WordPress theme by ThemeREX, versions from earliest available release through version 2.17 inclusive. The Patchstack advisory URL (https://patchstack.com/database/Wordpress/Theme/police-department/vulnerability/wordpress-police-department-theme-2-17-local-file-inclusion-vulnerability) serves as the primary vendor reference. No specific CPE identifier was provided in the source data. WordPress installations using this theme in any configuration are potentially vulnerable.
RemediationAI
Upgrade the Police Department theme to a patched version newer than 2.17. According to the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/police-department/vulnerability/wordpress-police-department-theme-2-17-local-file-inclusion-vulnerability, a fix should be available. If immediate patching is not feasible, implement the following compensating controls: disable the Police-department theme and switch to a different WordPress theme until patching is complete, as this eliminates the vulnerable code path entirely; restrict direct access to theme files by configuring web server rules to block direct requests to .php files in wp-content/themes/police-department/ except index.php (though this may break legitimate theme functionality requiring testing); enable PHP disable_functions directive to block sensitive file operations like show_source, highlight_file, and symlink which attackers commonly leverage post-LFI (side effect: may break plugins using these functions legitimately). Monitor web server access logs for suspicious requests containing path traversal patterns like '../' or '%2e%2e%2f' targeting the theme directory. Note that Web Application Firewall rules blocking traversal sequences provide detection but determined attackers may bypass them through encoding variations.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-98 – PHP Remote File Inclusion
View allShare
External POC / Exploit Code
Leaving vuln.today