ThemeREX Aqualots CVE-2026-28088
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Aqualots aqualots allows PHP Local File Inclusion.This issue affects Aqualots: from n/a through <= 1.1.6.
AnalysisAI
Local file inclusion vulnerability in ThemeREX Aqualots WordPress theme versions up to 1.1.6 enables remote attackers to include arbitrary PHP files on the server without authentication. Despite the description's mention of 'remote file inclusion', the CVE is classified as CWE-98 (PHP Local File Inclusion) and tagged as LFI by Patchstack, indicating attackers can read sensitive files or execute local PHP code. EPSS exploitation probability is low (0.15%, 36th percentile) with no evidence of active exploitation or public POCs, though the high-complexity network attack vector suggests targeted exploitation scenarios.
Technical ContextAI
This vulnerability stems from improper sanitization of user-controlled input used in PHP include/require statements (CWE-98). The Aqualots WordPress theme fails to validate file paths before passing them to PHP file inclusion functions, allowing path traversal sequences. While the CVE description mentions 'Remote File Inclusion,' the CWE classification and Patchstack tagging indicate this is a Local File Inclusion (LFI) vulnerability. In WordPress themes, this typically occurs when dynamic template loading or file inclusion mechanisms trust user input from GET/POST parameters or HTTP headers. Successful exploitation allows reading arbitrary files within the web server's filesystem context (wp-config.php, /etc/passwd) or executing existing PHP files with attacker-controlled parameters, potentially leading to code execution if combined with file upload or log poisoning techniques.
Affected ProductsAI
ThemeREX Aqualots WordPress theme versions 1.1.6 and earlier are confirmed vulnerable per Patchstack database. The vulnerability affects all installations where the theme is active, regardless of WordPress version. Specific CPE designation was not provided in available data, though the product is definitively identified as a WordPress theme component. Complete vendor advisory and affected version enumeration are available at the Patchstack reference link provided by the NVD listing.
RemediationAI
Upgrade to Aqualots theme version 1.1.7 or later if available, though the exact patched version is not confirmed in the provided data sources. Consult the Patchstack database entry at https://patchstack.com/database/Wordpress/Theme/aqualots/vulnerability/wordpress-aqualots-theme-1-1-6-local-file-inclusion-vulnerability for vendor-specific remediation guidance and confirmed fix version. If patching is not immediately feasible, implement compensating controls: disable the Aqualots theme and switch to a maintained alternative theme until updates are verified, as WordPress allows theme switching without data loss. For sites requiring continued Aqualots operation, implement Web Application Firewall rules to block path traversal patterns ('../', encoded variants) in all user-supplied input, though this may break legitimate theme functionality requiring file path parameters. Monitor web server logs for suspicious requests containing traversal sequences or unusual file paths targeting theme directories. Note that WAF-based mitigation reduces but does not eliminate risk, as sophisticated attackers may bypass pattern matching.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-98 – PHP Remote File Inclusion
View allShare
External POC / Exploit Code
Leaving vuln.today