CVE-2026-27996 is a Local File Inclusion (LFI) vulnerability found in the ThemeREX Lingvico WordPress theme, affecting versions up to 1.0.14. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements, allowing an attacker to manipulate the input to include arbitrary local files on the server. This can lead to unauthorized disclosure of sensitive files such as configuration files, source code, or credentials stored on the server. In some cases, LFI can be leveraged to execute arbitrary code if combined with other vulnerabilities or misconfigurations. The vulnerability does not require user interaction and can be exploited remotely by sending crafted HTTP requests to the vulnerable web application. Although no public exploits are currently documented, the flaw is critical because it compromises the confidentiality and integrity of the affected system. The vulnerability was reserved and published in early 2026, but no patches or fixes have been officially released by ThemeREX at the time of this report. The lack of a CVSS score necessitates an expert severity assessment based on the nature of the vulnerability and its potential impact.

The primary impact of this vulnerability is unauthorized access to sensitive files on the web server, which can lead to information disclosure, including database credentials, configuration files, or source code. This exposure can facilitate further attacks such as privilege escalation, remote code execution, or complete system compromise if attackers find ways to execute code via included files. For organizations, this can result in data breaches, loss of customer trust, regulatory penalties, and operational disruption. Since the vulnerability affects a WordPress theme, it potentially impacts a wide range of websites, including small businesses, educational institutions, and enterprises using Lingvico. The ease of exploitation without authentication increases the risk of automated scanning and exploitation attempts by attackers. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a significant risk until patched.

1. Immediate mitigation involves disabling or removing the vulnerable Lingvico theme from WordPress installations until an official patch is released. 2. Restrict web server permissions to limit access to sensitive files and directories, minimizing the impact of potential LFI exploitation. 3. Employ Web Application Firewalls (WAFs) with rules designed to detect and block suspicious include/require parameter manipulations. 4. Monitor web server logs for unusual requests that attempt to exploit file inclusion vulnerabilities. 5. Keep all WordPress core, themes, and plugins updated regularly to incorporate security patches promptly. 6. Implement strict input validation and sanitization on all user-controlled inputs, especially those used in file inclusion functions, to prevent malicious manipulation. 7. Conduct security audits and penetration testing focused on file inclusion vulnerabilities to identify and remediate similar issues proactively. 8. Segregate critical systems and sensitive data to reduce the blast radius in case of compromise.