Skip to main content

ThemeREX Aqualots CVE-2026-28088

HIGH
PHP Remote File Inclusion (CWE-98)
2026-03-05 audit@patchstack.com
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Updated
Apr 23, 2026 - 00:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 06:16 nvd
HIGH 8.1

DescriptionCVE.org

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Aqualots aqualots allows PHP Local File Inclusion.This issue affects Aqualots: from n/a through <= 1.1.6.

AnalysisAI

Local file inclusion vulnerability in ThemeREX Aqualots WordPress theme versions up to 1.1.6 enables remote attackers to include arbitrary PHP files on the server without authentication. Despite the description's mention of 'remote file inclusion', the CVE is classified as CWE-98 (PHP Local File Inclusion) and tagged as LFI by Patchstack, indicating attackers can read sensitive files or execute local PHP code. EPSS exploitation probability is low (0.15%, 36th percentile) with no evidence of active exploitation or public POCs, though the high-complexity network attack vector suggests targeted exploitation scenarios.

Technical ContextAI

This vulnerability stems from improper sanitization of user-controlled input used in PHP include/require statements (CWE-98). The Aqualots WordPress theme fails to validate file paths before passing them to PHP file inclusion functions, allowing path traversal sequences. While the CVE description mentions 'Remote File Inclusion,' the CWE classification and Patchstack tagging indicate this is a Local File Inclusion (LFI) vulnerability. In WordPress themes, this typically occurs when dynamic template loading or file inclusion mechanisms trust user input from GET/POST parameters or HTTP headers. Successful exploitation allows reading arbitrary files within the web server's filesystem context (wp-config.php, /etc/passwd) or executing existing PHP files with attacker-controlled parameters, potentially leading to code execution if combined with file upload or log poisoning techniques.

Affected ProductsAI

ThemeREX Aqualots WordPress theme versions 1.1.6 and earlier are confirmed vulnerable per Patchstack database. The vulnerability affects all installations where the theme is active, regardless of WordPress version. Specific CPE designation was not provided in available data, though the product is definitively identified as a WordPress theme component. Complete vendor advisory and affected version enumeration are available at the Patchstack reference link provided by the NVD listing.

RemediationAI

Upgrade to Aqualots theme version 1.1.7 or later if available, though the exact patched version is not confirmed in the provided data sources. Consult the Patchstack database entry at https://patchstack.com/database/Wordpress/Theme/aqualots/vulnerability/wordpress-aqualots-theme-1-1-6-local-file-inclusion-vulnerability for vendor-specific remediation guidance and confirmed fix version. If patching is not immediately feasible, implement compensating controls: disable the Aqualots theme and switch to a maintained alternative theme until updates are verified, as WordPress allows theme switching without data loss. For sites requiring continued Aqualots operation, implement Web Application Firewall rules to block path traversal patterns ('../', encoded variants) in all user-supplied input, though this may break legitimate theme functionality requiring file path parameters. Monitor web server logs for suspicious requests containing traversal sequences or unusual file paths targeting theme directories. Note that WAF-based mitigation reduces but does not eliminate risk, as sophisticated attackers may bypass pattern matching.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-28088 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy