CVE-2026-27995 identifies a Local File Inclusion (LFI) vulnerability in the ThemeREX Justitia WordPress theme, specifically due to improper control of filenames used in PHP include or require statements. This vulnerability arises when the application fails to properly validate or sanitize user-supplied input that determines which files are included or required by the PHP runtime. An attacker can exploit this flaw by manipulating input parameters to cause the application to include arbitrary files from the server's filesystem. This can lead to disclosure of sensitive files such as configuration files, password files, or application source code. In some cases, it may also enable remote code execution if the attacker can upload malicious files or leverage other chained vulnerabilities. The affected product is the Justitia theme, versions up to 1.1.0, with no patches currently available. The vulnerability does not require authentication, increasing the risk of exploitation. Although no known exploits are currently in the wild, the nature of LFI vulnerabilities makes them attractive targets for attackers, especially in web hosting environments. The lack of a CVSS score means severity must be assessed based on impact factors, which indicate a high risk due to potential confidentiality breaches and server compromise.

The impact of CVE-2026-27995 is significant for organizations using the Justitia WordPress theme. Successful exploitation can lead to unauthorized disclosure of sensitive information stored on the server, including credentials, configuration files, and source code. This can facilitate further attacks such as privilege escalation, data theft, or full server compromise. The vulnerability can also be leveraged to execute arbitrary code if combined with other vulnerabilities or attacker-controlled file uploads, potentially resulting in complete loss of system integrity and availability. Organizations hosting customer data or critical web services using the affected theme face reputational damage, regulatory penalties, and operational disruption. The ease of exploitation without authentication increases the threat level, making it a critical concern for web administrators and security teams. The absence of patches means organizations must rely on immediate mitigation strategies to reduce exposure.

To mitigate CVE-2026-27995, organizations should first verify if they are using the Justitia theme version 1.1.0 or earlier and plan to update to a patched version once available. In the absence of an official patch, immediate steps include disabling or restricting access to vulnerable PHP scripts that handle file inclusion. Implement strict input validation and sanitization to ensure only allowed filenames or paths are processed by include/require statements. Employ web application firewalls (WAFs) with rules designed to detect and block LFI attack patterns. Restrict file system permissions to limit the PHP process's ability to read sensitive files outside designated directories. Monitor web server logs for suspicious requests that attempt directory traversal or unusual file inclusion patterns. Consider isolating the affected application in a sandboxed environment to limit potential damage. Finally, maintain regular backups and incident response plans to quickly recover from any exploitation.