CVE-2026-28019 is a Local File Inclusion (LFI) vulnerability found in the ThemeREX Manoir WordPress theme, affecting versions up to 1.11. The vulnerability arises from improper control over the filename used in PHP include or require statements, allowing an attacker to manipulate the input to include arbitrary files from the server. This can lead to disclosure of sensitive files such as configuration files, password files, or other critical data stored on the server. In some cases, if combined with other vulnerabilities or misconfigurations, it may allow remote code execution by including malicious files uploaded elsewhere on the server. The flaw is due to insufficient input validation or sanitization of the filename parameter used in the theme's PHP code. No public exploits have been reported yet, and no official patch links are available at the time of publication. The vulnerability does not have an assigned CVSS score, but the nature of LFI vulnerabilities typically allows attackers to escalate their access or gather intelligence for further attacks. The affected product is the Manoir theme by ThemeREX, a popular WordPress theme used for portfolio and business websites. Since WordPress powers a significant portion of the web, and themes like Manoir are widely used, the potential attack surface is considerable. The vulnerability was reserved on February 25, 2026, and published on March 5, 2026. The lack of authentication requirements depends on the theme's implementation and how the vulnerable functionality is exposed to users or visitors.

The impact of CVE-2026-28019 can be significant for organizations using the vulnerable Manoir theme. Successful exploitation can lead to unauthorized disclosure of sensitive server files, including configuration files containing database credentials or API keys, which can facilitate further attacks. In worst-case scenarios, attackers may achieve remote code execution by including malicious files, leading to full site compromise, defacement, data theft, or pivoting to internal networks. This can result in reputational damage, financial losses, and regulatory penalties for organizations. Since WordPress sites often serve as public-facing portals, the vulnerability can be exploited by remote attackers without authentication if the vulnerable code is accessible publicly. The widespread use of WordPress and the Manoir theme increases the potential scale of impact globally. Additionally, attackers may use this vulnerability as a foothold for launching further attacks such as ransomware or supply chain compromises.

To mitigate CVE-2026-28019, organizations should first identify all installations of the ThemeREX Manoir theme, especially versions up to 1.11. Until an official patch is released, administrators should restrict access to any endpoints or functionality that involve dynamic file inclusion or disable the vulnerable features if possible. Applying strict input validation and sanitization on any parameters controlling file inclusion is critical; this includes whitelisting allowed filenames or paths and rejecting any input containing directory traversal sequences or remote URLs. Monitoring web server logs for suspicious requests attempting to exploit file inclusion can help detect exploitation attempts early. Organizations should also maintain regular backups and ensure their WordPress core, themes, and plugins are kept up to date. Once ThemeREX releases a security update addressing this vulnerability, prompt application of the patch is essential. Employing Web Application Firewalls (WAFs) with rules targeting LFI patterns can provide an additional layer of defense. Finally, educating developers and administrators about secure coding practices related to file inclusion can prevent similar vulnerabilities in the future.