CVE-2026-27097 is a vulnerability classified as improper control of filename for include/require statements in PHP programs, specifically affecting the AncoraThemes CasaMia WordPress theme (versions up to 1.1.2). This vulnerability enables PHP Remote File Inclusion (RFI), where an attacker can manipulate the filename parameter used in PHP include or require functions to load and execute arbitrary remote files. This occurs because the theme fails to properly validate or sanitize user-supplied input that determines which files are included, allowing attackers to specify malicious URLs or file paths. Successful exploitation can lead to remote code execution on the web server hosting the vulnerable theme, enabling attackers to execute arbitrary PHP code, potentially leading to full site compromise, data theft, defacement, or pivoting to other internal systems. The vulnerability is particularly dangerous because it does not require authentication or user interaction, making it exploitable by any remote attacker. Although no public exploits have been reported to date, the nature of RFI vulnerabilities historically makes them attractive targets for attackers. The vulnerability affects websites using the CasaMia theme, which is designed for property rental and real estate businesses, typically deployed on WordPress CMS platforms. Due to the lack of a CVSS score, severity assessment is based on the potential for remote code execution, ease of exploitation, and the scope of affected systems. No official patches or mitigation links have been provided yet, indicating the need for immediate attention from site administrators and theme developers.

The impact of CVE-2026-27097 is significant for organizations using the CasaMia WordPress theme. Exploitation can lead to remote code execution, allowing attackers to take full control of the affected web server. This can result in unauthorized access to sensitive data, website defacement, injection of malicious content (such as malware or phishing pages), and use of the compromised server as a pivot point for further attacks within the organization's network. For real estate businesses, this could mean exposure of client information, disruption of online services, and damage to reputation. Additionally, compromised websites can be blacklisted by search engines or security services, causing loss of traffic and revenue. The vulnerability's remote exploitability without authentication increases the risk of widespread attacks, especially if automated scanning tools identify vulnerable sites. Organizations worldwide that rely on this theme for their online presence are at risk until mitigations or patches are applied.

To mitigate CVE-2026-27097, organizations should immediately check if they are using the CasaMia WordPress theme version 1.1.2 or earlier and plan to upgrade to a patched version once available. In the absence of an official patch, administrators should implement the following specific mitigations: 1) Disable or restrict the use of PHP include/require statements that accept user input by modifying theme code to validate and sanitize all inputs rigorously, allowing only predefined, safe filenames. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block requests attempting to exploit file inclusion vulnerabilities, such as those containing suspicious URL parameters or remote file references. 3) Restrict outbound HTTP requests from the web server to prevent fetching remote files, using firewall rules or PHP configuration (e.g., disabling allow_url_include and allow_url_fopen). 4) Conduct thorough code reviews of customizations and plugins to ensure no other components are vulnerable to similar attacks. 5) Regularly back up website data and maintain incident response plans to quickly recover from potential compromises. 6) Monitor web server logs for unusual requests or errors indicative of exploitation attempts. These targeted actions go beyond generic advice and focus on the specific nature of this RFI vulnerability.