CVE-2026-28009 is a Local File Inclusion (LFI) vulnerability found in the ThemeREX DroneX WordPress theme, specifically in versions up to 1.1.12. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements. This flaw allows an attacker to manipulate the filename input to include arbitrary files from the local server. By exploiting this, an attacker can read sensitive files such as configuration files, password files, or even execute malicious PHP code if they can upload files to the server. The vulnerability is classified as an LFI rather than Remote File Inclusion (RFI) because it does not allow inclusion of remote files directly, but local files only. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the common use of the DroneX theme in WordPress environments and the critical nature of file inclusion vulnerabilities. The lack of a CVSS score means severity must be assessed based on impact and exploitability factors. The vulnerability was published on March 5, 2026, and was reserved on February 25, 2026. No official patch links are available yet, indicating that users must rely on temporary mitigations or vendor updates when released.

The impact of CVE-2026-28009 is substantial for organizations using the DroneX WordPress theme. Successful exploitation can lead to unauthorized disclosure of sensitive information such as database credentials, configuration files, or user data. It can also enable attackers to execute arbitrary PHP code on the web server, potentially leading to full server compromise, data theft, or pivoting within the network. This can disrupt business operations, damage reputation, and result in regulatory non-compliance if sensitive data is exposed. Since WordPress is widely used globally, and themes like DroneX are popular for certain niches, the scope of affected systems is significant. The vulnerability does not require authentication or user interaction, increasing the risk of automated exploitation by attackers scanning for vulnerable sites. Organizations hosting websites with DroneX should consider this a high-risk issue requiring immediate attention.

To mitigate CVE-2026-28009, organizations should first monitor ThemeREX announcements for official patches and apply them promptly once available. Until a patch is released, administrators can implement the following specific mitigations: 1) Restrict PHP include paths using open_basedir or disable allow_url_include in php.ini to limit file inclusion to safe directories. 2) Employ Web Application Firewalls (WAFs) with rules to detect and block suspicious include parameter manipulations. 3) Harden file permissions on the server to prevent unauthorized file uploads or access to sensitive files. 4) Review and sanitize all user inputs that influence file inclusion logic to prevent injection of malicious paths. 5) Disable or restrict unused theme features that involve dynamic file inclusion. 6) Conduct regular security audits and vulnerability scans focusing on WordPress themes and plugins. 7) Maintain backups and incident response plans to quickly recover from potential exploitation. These targeted actions go beyond generic advice and address the specific nature of this LFI vulnerability.