CVE-2026-28064 identifies a Local File Inclusion (LFI) vulnerability in the ThemeREX Edge Decor WordPress theme, specifically due to improper control over the filename parameter used in PHP include or require statements. This vulnerability arises when user-supplied input is not properly sanitized or validated before being passed to PHP functions that include files, allowing attackers to specify arbitrary files on the server to be included and executed within the application context. The affected product is Edge Decor versions up to 2.2. LFI vulnerabilities can be exploited to read sensitive files such as configuration files, password stores, or logs, and in some cases, combined with other vulnerabilities, can lead to remote code execution. Although no public exploits are currently documented, the flaw's presence in a widely used WordPress theme poses a significant risk. The vulnerability was reserved and published in early 2026, but no CVSS score has been assigned yet. The lack of patch links suggests that a fix may not yet be available or publicly disclosed. The vulnerability's exploitation complexity depends on how the theme processes input controlling the include path and whether authentication or specific user roles are required to trigger the flaw.

The impact of this vulnerability is substantial for organizations using the Edge Decor theme on WordPress sites. Successful exploitation can lead to unauthorized disclosure of sensitive server files, including credentials, configuration data, and application source code, compromising confidentiality. Attackers might also execute arbitrary code if they can include files containing malicious payloads, threatening integrity and availability. This can result in website defacement, data breaches, or full server compromise. For businesses relying on WordPress for e-commerce, customer portals, or content management, such breaches can cause reputational damage, regulatory penalties, and financial losses. The scope is limited to sites using the vulnerable theme versions, but given WordPress's global popularity, the number of affected sites could be significant. The absence of known exploits in the wild currently reduces immediate risk, but the vulnerability remains a critical attack vector if weaponized.

Organizations should immediately audit their WordPress installations to identify the use of the Edge Decor theme and verify the version. If running version 2.2 or earlier, they should seek updates or patches from ThemeREX as soon as they become available. In the absence of official patches, applying virtual patching via Web Application Firewalls (WAFs) to block suspicious requests attempting to manipulate include paths is recommended. Restricting file permissions on the server to limit access to sensitive files can reduce exploitation impact. Additionally, disabling PHP functions like include(), require(), or configuring open_basedir restrictions can mitigate LFI risks. Regularly monitoring web server logs for anomalous requests targeting file inclusion parameters can help detect exploitation attempts early. Employing security plugins that scan for vulnerable themes and enforce input validation can further reduce risk. Finally, educating developers and administrators about secure coding practices and input sanitization is essential to prevent similar vulnerabilities.