Ozisti WordPress Theme CVE-2026-28093
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Ozisti ozisti allows PHP Local File Inclusion.This issue affects Ozisti: from n/a through <= 1.1.10.
AnalysisAI
Local file inclusion in ThemeREX Ozisti WordPress theme versions up to 1.1.10 enables remote unauthenticated attackers to read arbitrary files from the web server filesystem and potentially execute PHP code by including malicious local files. Despite the high CVSS score of 8.1, exploitation requires high complexity (AC:H) and EPSS indicates only 0.15% probability of exploitation in the wild (36th percentile), suggesting limited real-world targeting. No active exploitation confirmed by CISA KEV, though Patchstack has documented the vulnerability with security researchers.
Technical ContextAI
This vulnerability stems from improper validation of file paths in PHP include/require statements (CWE-98), a common flaw in WordPress themes and plugins that dynamically load template files or configuration data. The Ozisti theme by ThemeREX fails to properly sanitize user-controlled input used in file inclusion functions, allowing attackers to manipulate file paths. While classified as 'PHP Remote File Inclusion' in the description, the actual vulnerability is Local File Inclusion (LFI) per the tags and affected product data. LFI differs from RFI in that attackers can only include files already present on the server rather than remotely hosted malicious code. However, LFI can still lead to information disclosure by reading sensitive files like wp-config.php, or achieve code execution by including uploaded files (e.g., malicious images with embedded PHP) or leveraging PHP wrappers and log poisoning techniques.
Affected ProductsAI
ThemeREX Ozisti WordPress theme versions from initial release through 1.1.10 inclusive are vulnerable. The vulnerability affects WordPress installations running this theme regardless of WordPress core version. No specific CPE identifier is provided in the available data. Vendor advisory and patch information are available through Patchstack database at https://patchstack.com/database/Wordpress/Theme/ozisti/vulnerability/wordpress-ozisti-theme-1-1-10-local-file-inclusion-vulnerability.
RemediationAI
Upgrade Ozisti theme to version 1.1.11 or later if available, confirming with ThemeREX or through the Patchstack advisory that the fix addresses CVE-2026-28093. Until patching, implement restrictive file access controls by configuring web server rules to block direct access to theme PHP files except index.php and necessary entry points, though this may break legitimate theme functionality requiring testing. Deploy a WordPress security plugin with virtual patching capabilities (e.g., Wordfence, Patchstack) configured to block malicious file path traversal patterns in HTTP requests targeting the theme directory. If the theme is not actively required, deactivate and switch to a maintained alternative theme, then remove Ozisti files completely. Monitor server logs for suspicious requests containing path traversal sequences (../, %2e%2e%2f) or attempts to access sensitive files (wp-config.php, /etc/passwd) through theme endpoints. Consult the Patchstack database entry for specific indicators of compromise and additional mitigation guidance.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-98 – PHP Remote File Inclusion
View allShare
External POC / Exploit Code
Leaving vuln.today