CVE-2026-28077 is a Local File Inclusion (LFI) vulnerability found in the ThemeREX Vapester WordPress theme, specifically affecting versions up to 1.1.10. The vulnerability arises from improper control of the filename parameter used in PHP include or require statements. This flaw allows an attacker to manipulate the filename input to include arbitrary files from the local server filesystem. Such inclusion can lead to disclosure of sensitive files such as configuration files, password files, or application source code, which can aid in further exploitation. In some cases, LFI can be chained with other vulnerabilities to achieve remote code execution. The vulnerability does not require authentication, making it accessible to unauthenticated attackers. Although no public exploits are currently reported, the nature of the vulnerability and the widespread use of WordPress themes make it a significant risk. The lack of a CVSS score indicates that the vulnerability is newly published and may not yet have been fully assessed. The vulnerability was published on March 5, 2026, with Patchstack as the assigner. No official patches or mitigation links are currently provided, indicating that users must monitor for updates or apply manual mitigations.

The primary impact of CVE-2026-28077 is unauthorized disclosure of sensitive information through Local File Inclusion. Attackers can read arbitrary files on the server, potentially exposing credentials, configuration details, or other sensitive data. This can lead to further compromise, including privilege escalation or remote code execution if combined with other vulnerabilities. The vulnerability affects the confidentiality and integrity of affected systems. Since the vulnerability is exploitable without authentication and requires only user interaction (sending crafted requests), it poses a significant risk to websites using the Vapester theme. Organizations relying on this theme for their WordPress sites may face data breaches, defacement, or complete site takeover. The impact is amplified for high-profile or business-critical websites, especially those handling sensitive user data or financial transactions.

Organizations should immediately audit their WordPress installations to identify if the Vapester theme version 1.1.10 or earlier is in use. Until an official patch is released, consider the following mitigations: 1) Disable or restrict access to vulnerable PHP include functionality by applying web application firewall (WAF) rules that block suspicious requests attempting to manipulate include parameters. 2) Implement strict input validation and sanitization on any user-controllable parameters related to file inclusion. 3) Restrict file permissions on the server to limit access to sensitive files that could be disclosed via LFI. 4) Monitor web server logs for unusual requests targeting include or require parameters. 5) Consider temporarily disabling or replacing the Vapester theme with a secure alternative if patching is not immediately possible. 6) Stay updated with ThemeREX vendor announcements and apply official patches as soon as they become available. 7) Employ runtime application self-protection (RASP) tools if available to detect and block LFI attempts in real time.