CVE-2026-28096 is a vulnerability classified as Improper Control of Filename for Include/Require Statement in PHP, specifically a Local File Inclusion (LFI) issue found in the ThemeREX WealthCo WordPress theme. The vulnerability arises because the theme improperly validates or sanitizes user-supplied input used in PHP include or require statements, allowing an attacker to manipulate the filename parameter. This can lead to the inclusion of arbitrary files from the server's filesystem. Such an LFI vulnerability can be leveraged to disclose sensitive information such as configuration files, source code, or credentials stored on the server. In some cases, it may enable remote code execution if combined with other vulnerabilities or if the attacker can upload malicious files. The affected versions include all WealthCo versions up to and including 2.18, with no specific lower bound version identified. The vulnerability was published in early March 2026, with no CVSS score assigned and no known public exploits reported. The lack of patches or official fixes at the time of publication increases the urgency for organizations to implement mitigations. The vulnerability does not require user interaction but may require the attacker to send crafted requests to the vulnerable theme's PHP scripts. The improper filename control is a common and critical security issue in PHP applications, especially in WordPress themes and plugins, which are frequent targets for attackers due to their widespread use and potential for privilege escalation.

The exploitation of CVE-2026-28096 can have severe consequences for organizations using the WealthCo theme. Successful exploitation can lead to unauthorized disclosure of sensitive files, including configuration files containing database credentials or API keys, which can compromise the confidentiality of the system. Additionally, attackers may leverage this vulnerability to execute arbitrary code or escalate privileges, threatening the integrity and availability of the affected web server and underlying infrastructure. This can result in website defacement, data theft, or the deployment of malware such as web shells or ransomware. Given the popularity of WordPress and the WealthCo theme in financial and wealth management sectors, the impact extends to organizations handling sensitive financial data, increasing the risk of regulatory non-compliance and reputational damage. The absence of known exploits currently limits immediate widespread impact, but the vulnerability's nature makes it a likely target for attackers once exploit code becomes available. Organizations worldwide relying on WealthCo for their web presence face a significant risk until mitigations or patches are applied.

To mitigate CVE-2026-28096, organizations should immediately audit their WordPress installations to identify the use of the WealthCo theme, particularly versions up to 2.18. If possible, upgrade to a patched version once available from ThemeREX or apply any official security updates. In the absence of patches, implement strict input validation and sanitization on any parameters used in include or require statements within the theme's PHP code to prevent arbitrary file inclusion. Employ Web Application Firewalls (WAFs) with rules designed to detect and block attempts to exploit LFI vulnerabilities, such as suspicious URL patterns or encoded payloads. Restrict file system permissions to limit the web server's access to sensitive files and directories, minimizing the potential impact of file inclusion. Monitor web server logs for unusual requests that may indicate exploitation attempts. Additionally, consider isolating the WordPress environment using containerization or sandboxing to reduce the blast radius of a successful attack. Regularly back up website data and configurations to enable rapid recovery in case of compromise.