CVE-2026-28093 identifies a Local File Inclusion (LFI) vulnerability within the ThemeREX Ozisti WordPress theme, specifically due to improper control over the filename parameter used in PHP include or require statements. This vulnerability arises when the application fails to properly validate or sanitize user-supplied input that determines which files are included and executed by the PHP interpreter. An attacker can exploit this flaw by manipulating the filename parameter to include arbitrary files from the local filesystem, potentially leading to disclosure of sensitive information such as configuration files, password files, or application source code. In some cases, LFI can be leveraged to execute arbitrary code if combined with other vulnerabilities or if the attacker can upload malicious files to the server. The affected product versions include all Ozisti theme versions up to and including 1.1.10. The vulnerability was publicly disclosed in early March 2026, with no CVSS score assigned and no known exploits in the wild at the time of publication. The vulnerability is categorized as a PHP Remote File Inclusion type but technically is a Local File Inclusion since it involves local files. The lack of authentication requirement and the direct impact on server-side code execution make this a critical concern for websites using this theme. No official patches or mitigation links were provided at disclosure, indicating that users must rely on vendor updates or manual mitigations.

The impact of CVE-2026-28093 is significant for organizations running websites with the vulnerable Ozisti theme. Successful exploitation can lead to unauthorized disclosure of sensitive server files, including credentials, configuration files, and source code, which can facilitate further attacks such as privilege escalation or full server compromise. This undermines confidentiality and integrity of the affected systems. Additionally, if attackers can chain this vulnerability with file upload flaws or other weaknesses, they may achieve remote code execution, severely impacting availability and control over the web server. The scope is limited to websites using the Ozisti theme, but given the popularity of WordPress and third-party themes, the number of affected sites could be substantial. The ease of exploitation is moderate to high since no authentication is required, but the attacker must identify and target the vulnerable parameter. Organizations hosting customer data or critical web services are at elevated risk, potentially leading to data breaches, reputational damage, and regulatory penalties.

To mitigate CVE-2026-28093, organizations should immediately verify if their WordPress installations use the ThemeREX Ozisti theme version 1.1.10 or earlier. If so, they should seek updates or patches from the vendor as soon as they become available. In the absence of official patches, manual mitigations include: 1) Implement strict input validation and sanitization on all parameters used in include/require statements to ensure only intended files can be included. 2) Employ PHP configuration directives such as open_basedir to restrict file inclusion to specific directories. 3) Disable allow_url_include in PHP settings to prevent remote file inclusion attempts. 4) Use Web Application Firewalls (WAFs) to detect and block suspicious requests attempting to exploit file inclusion. 5) Conduct thorough code reviews and penetration testing focusing on file inclusion vectors. 6) Monitor server logs for anomalous access patterns or errors related to file inclusion. 7) Limit file permissions on the server to prevent unauthorized file access. These steps reduce the attack surface and help prevent exploitation until official patches are applied.