CVE-2026-28095 is a Local File Inclusion (LFI) vulnerability found in the ThemeREX Marcell WordPress theme, affecting versions up to and including 1.2.14. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements. This flaw allows an attacker to manipulate the input that determines which file is included by the PHP interpreter, potentially leading to the inclusion of unintended local files. Such exploitation can result in disclosure of sensitive information (e.g., configuration files, password files), or in some cases, enable remote code execution if an attacker can upload malicious files to the server. The vulnerability is classified as a PHP Remote File Inclusion type but specifically manifests as Local File Inclusion due to the nature of the input control. No official patches or fixes are referenced yet, and no known exploits have been observed in the wild. The vulnerability was reserved on February 25, 2026, and published on March 5, 2026. The absence of a CVSS score requires an independent severity assessment. The affected product is the Marcell theme by ThemeREX, a popular WordPress theme used globally. The vulnerability's exploitation depends on the attacker's ability to influence the filename parameter, which may be exposed via URL parameters, form inputs, or other user-controllable data. The flaw can compromise confidentiality and integrity of the affected systems and may lead to full system compromise if combined with other vulnerabilities or misconfigurations.

The impact of CVE-2026-28095 is significant for organizations using the ThemeREX Marcell WordPress theme. Successful exploitation can lead to unauthorized disclosure of sensitive files, including configuration files containing database credentials, API keys, or other secrets. This can facilitate further attacks such as privilege escalation or lateral movement within the network. In some scenarios, attackers may achieve remote code execution by including files they control, leading to full system compromise. The vulnerability threatens the confidentiality and integrity of affected systems and can disrupt availability if attackers modify or delete critical files. Given the widespread use of WordPress and the popularity of commercial themes like Marcell, many websites globally could be impacted, including corporate, governmental, and e-commerce platforms. The lack of known exploits in the wild suggests limited current exploitation, but the vulnerability's nature makes it an attractive target for attackers once weaponized. Organizations face reputational damage, data breaches, and potential regulatory penalties if exploited.

To mitigate CVE-2026-28095, organizations should first check for updates or patches from ThemeREX and apply them promptly once available. In the absence of official patches, administrators should audit the theme's codebase to identify and restrict any user-controllable inputs used in include or require statements. Implement strict input validation and sanitization to ensure only safe, expected filenames are processed. Employ allowlisting of filenames or use fixed paths rather than dynamic inclusion based on user input. Disable PHP functions that allow remote file inclusion if not required (e.g., allow_url_include). Use web application firewalls (WAFs) to detect and block suspicious file inclusion attempts. Regularly monitor logs for unusual access patterns or errors related to file inclusion. Consider isolating WordPress installations and limiting file permissions to minimize the impact of potential exploitation. Conduct security awareness training for developers and administrators on secure coding practices related to file inclusion.