CVE-2026-28086 is a Local File Inclusion (LFI) vulnerability found in the ThemeREX Run Gran WordPress theme, specifically due to improper control over the filename parameter used in PHP include or require statements. This vulnerability arises when user-supplied input is not properly sanitized or validated before being passed to PHP functions that include files, allowing an attacker to specify arbitrary files on the server to be included and executed. The affected versions include all releases up to and including version 2.0 of the Run Gran theme. Exploiting this vulnerability can lead to disclosure of sensitive files such as configuration files, source code, or credentials, and may also enable remote code execution if combined with other vulnerabilities or misconfigurations. The vulnerability does not currently have a CVSS score or known exploits in the wild, and no official patches have been released as of the publication date. The issue is critical in nature because it affects the integrity and confidentiality of the server environment and can be exploited remotely without authentication if the vulnerable code is exposed to user input. The lack of patch links suggests that users must rely on temporary mitigations until an official fix is available.

The impact of CVE-2026-28086 is significant for organizations using the ThemeREX Run Gran theme on their WordPress sites. Successful exploitation can lead to unauthorized disclosure of sensitive data, including server configuration files, database credentials, and application source code. This can facilitate further attacks such as privilege escalation, remote code execution, or complete site compromise. For businesses, this could result in data breaches, loss of customer trust, website defacement, or downtime. Since WordPress is widely used globally, and themes like Run Gran are popular for certain niches, the scope of affected systems could be substantial. The vulnerability could be exploited by attackers remotely without authentication if the vulnerable functionality is exposed, increasing the risk. Organizations that do not promptly address this vulnerability may face compliance issues and reputational damage if exploited.

To mitigate CVE-2026-28086, organizations should immediately audit their WordPress installations to identify if the Run Gran theme version 2.0 or earlier is in use. Until an official patch is released, administrators should consider disabling or removing the theme if it is not essential. If removal is not feasible, restrict access to the vulnerable PHP files by implementing web application firewall (WAF) rules that block suspicious requests attempting to manipulate include parameters. Additionally, input validation and sanitization should be enforced at the application level to prevent malicious input from reaching include/require statements. Employing the principle of least privilege on the web server and PHP configuration can limit the impact of file inclusion attacks. Monitoring web server logs for unusual file inclusion attempts and setting up alerts can help detect exploitation attempts early. Finally, maintain regular backups and prepare for rapid incident response in case of compromise.