The vulnerability identified as CVE-2026-28066 affects the ThemeREX Legrand WordPress theme, specifically versions up to 2.17. It arises from improper control of filenames used in PHP include or require statements, which leads to a Local File Inclusion (LFI) vulnerability. LFI vulnerabilities occur when an application allows user input to influence file paths without adequate validation or sanitization, enabling attackers to include files from the local filesystem. In this case, the Legrand theme does not properly restrict or sanitize the filename parameter used in PHP include/require functions, allowing an attacker to specify arbitrary files to be included and executed by the PHP interpreter. This can lead to disclosure of sensitive files such as configuration files, password files, or application source code. In some scenarios, it may also enable remote code execution if an attacker can upload malicious files or leverage other vulnerabilities. The vulnerability does not require authentication, making it accessible to unauthenticated remote attackers who can send crafted HTTP requests to the affected site. The affected product is a popular WordPress theme used for building websites, which increases the potential attack surface. No official patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. However, the vulnerability is publicly disclosed and documented in the CVE database, which may prompt attackers to develop exploits. The lack of a CVSS score necessitates an independent severity assessment based on impact and exploitability factors.

The primary impact of CVE-2026-28066 is the potential unauthorized disclosure of sensitive information stored on the web server, including configuration files, credentials, and source code. This can facilitate further attacks such as privilege escalation, data theft, or website defacement. In some cases, if combined with other vulnerabilities or misconfigurations, it may lead to remote code execution, allowing attackers to execute arbitrary commands on the server. This compromises the confidentiality, integrity, and availability of the affected systems. Organizations using the Legrand theme for their websites risk data breaches, loss of customer trust, and potential regulatory penalties. The ease of exploitation without authentication increases the threat level, especially for public-facing websites. The scope of affected systems includes any WordPress site running the vulnerable versions of the Legrand theme, which could be widespread given the popularity of WordPress and commercial themes. The absence of known exploits currently limits immediate impact but also means organizations should act proactively before exploitation occurs.

1. Immediate mitigation involves updating the Legrand theme to a patched version once available from the vendor or ThemeREX. Monitor official channels for security updates. 2. Until a patch is released, implement web application firewall (WAF) rules to detect and block suspicious requests attempting to manipulate include parameters or access local files. 3. Restrict PHP include paths using configuration directives such as open_basedir to limit file inclusion to trusted directories. 4. Disable or restrict the use of dynamic file inclusion in the theme code if possible by modifying the theme source to validate and sanitize input parameters rigorously. 5. Conduct regular security audits and vulnerability scans on WordPress sites to detect similar issues. 6. Employ the principle of least privilege for web server file permissions to minimize the impact of file inclusion attacks. 7. Monitor web server logs for unusual access patterns indicative of exploitation attempts. 8. Educate site administrators on the risks of using outdated themes and the importance of timely updates. These measures collectively reduce the attack surface and help prevent exploitation until an official patch is applied.