CVE-2026-27383 is a Local File Inclusion (LFI) vulnerability found in the RadiusTheme Metro WordPress theme, affecting versions up to 2.13. The vulnerability stems from improper control over the filename parameter used in PHP include or require statements, allowing an attacker to manipulate the input to include arbitrary files from the local filesystem. This can lead to unauthorized disclosure of sensitive files such as configuration files, password stores, or source code, and potentially enable remote code execution if combined with other vulnerabilities or writable file locations. The issue is classified as an 'Improper Control of Filename for Include/Require Statement' vulnerability, a common PHP security flaw. No CVSS score has been assigned yet, and no public exploits have been reported, but the vulnerability is publicly disclosed as of March 2026. The lack of patches or mitigations from the vendor means that affected installations remain vulnerable. The vulnerability is particularly dangerous in shared hosting environments or where the web server has access to sensitive files. Attackers do not require authentication to exploit this flaw, increasing its risk profile. The vulnerability affects websites using the Metro theme, which is popular among WordPress users for its design and functionality. Given the widespread use of WordPress globally, this vulnerability has a broad potential impact.

The primary impact of CVE-2026-27383 is unauthorized access to sensitive files on the web server, which can lead to leakage of credentials, configuration details, or other confidential information. In some cases, attackers may leverage this vulnerability to execute arbitrary PHP code, resulting in full system compromise. This can lead to data breaches, defacement of websites, disruption of services, and potential lateral movement within the affected network. Organizations relying on the Metro theme for their public-facing websites or internal portals are at risk of reputational damage, regulatory penalties, and operational downtime. Since the vulnerability does not require authentication, it can be exploited by remote attackers without prior access, increasing the attack surface. The absence of known exploits in the wild currently limits immediate widespread damage, but the public disclosure increases the likelihood of future exploitation attempts. The impact is particularly severe for organizations in sectors such as finance, healthcare, government, and e-commerce, where sensitive data protection is critical.

Until an official patch is released by RadiusTheme, organizations should take immediate steps to mitigate the risk. First, disable or remove the Metro theme if it is not essential or replace it with a secure alternative. If removal is not feasible, restrict access to vulnerable PHP files using web server configuration rules or .htaccess to prevent unauthorized file inclusion. Implement strict input validation and sanitization on any user-supplied parameters that influence file inclusion logic. Deploy a Web Application Firewall (WAF) with rules targeting LFI attack patterns to detect and block exploitation attempts. Regularly monitor web server logs and intrusion detection systems for suspicious activity related to file inclusion attempts. Limit file permissions on the server to minimize the files accessible by the web server user, reducing the impact of potential exploitation. Stay informed about updates from RadiusTheme and apply patches promptly once available. Conduct a thorough security audit of all WordPress plugins and themes to identify and remediate similar vulnerabilities.