CVE-2026-27991 is a Local File Inclusion (LFI) vulnerability found in the ThemeREX Avventure WordPress theme, specifically in versions up to and including 1.1.12. The vulnerability arises from improper validation and control of filenames used in PHP include or require statements. This flaw allows an attacker to manipulate the filename parameter to include arbitrary files from the local server. Such an inclusion can lead to disclosure of sensitive files (e.g., configuration files, password files), or in some cases, execution of malicious code if the attacker can upload files to the server. The vulnerability is classified as an improper control of filename for include/require statements, a common PHP security issue that can lead to Local File Inclusion attacks. No CVSS score has been assigned yet, and no known exploits have been reported in the wild as of the publication date. However, the vulnerability is publicly disclosed and thus may attract attackers. The affected product, ThemeREX Avventure, is a WordPress theme used for building websites, which means the attack surface includes any WordPress site using this theme. The vulnerability does not specify if authentication or user interaction is required, but typically such LFI vulnerabilities can be exploited remotely without authentication if the vulnerable parameter is exposed. The issue was reserved on February 25, 2026, and published on March 5, 2026, indicating a recent discovery. No patches or fixes are linked yet, so users must monitor vendor updates or apply temporary mitigations.

The impact of CVE-2026-27991 can be severe for organizations using the ThemeREX Avventure theme. Successful exploitation can lead to unauthorized disclosure of sensitive server files, including configuration files containing database credentials or other secrets, compromising confidentiality. In some scenarios, attackers may leverage LFI to execute arbitrary code, leading to full system compromise, affecting integrity and availability. This can result in website defacement, data theft, or use of the compromised server as a pivot point for further attacks. For organizations relying on affected WordPress sites for business operations, this can cause reputational damage, financial loss, and regulatory compliance issues. Since WordPress powers a significant portion of the web, the scope of affected systems is potentially large. The ease of exploitation, especially if no authentication is required, increases the risk. Even though no exploits are currently known in the wild, the public disclosure may lead to rapid development of exploit tools by attackers.

Organizations should immediately verify if they are using the ThemeREX Avventure theme version 1.1.12 or earlier. Until an official patch is released, they should consider the following mitigations: 1) Restrict access to vulnerable parameters by implementing Web Application Firewall (WAF) rules that detect and block suspicious include/require attempts or directory traversal patterns. 2) Disable or restrict PHP functions like include(), require(), include_once(), and require_once() from processing user-controlled input where possible. 3) Employ strict input validation and sanitization to ensure only allowed filenames or paths are processed. 4) Use PHP configuration directives such as open_basedir to limit file system access to designated directories. 5) Monitor web server logs for unusual requests that attempt to exploit file inclusion. 6) Keep backups and prepare for rapid patch deployment once the vendor releases a fix. 7) Consider temporarily switching to a different theme if feasible. 8) Educate developers and administrators about secure coding practices to prevent similar issues.