CVE-2026-28097 is a Local File Inclusion (LFI) vulnerability found in the ThemeREX Artrium WordPress theme, versions up to 1.0.14. The issue arises due to improper control over the filename parameter used in PHP include or require statements, which allows an attacker to manipulate the file path and include arbitrary files from the server's filesystem. This can lead to sensitive information disclosure, such as configuration files, password files, or other critical data stored on the server. In some cases, LFI can be leveraged to execute arbitrary code if combined with other vulnerabilities or if the attacker can upload malicious files. The vulnerability does not have a CVSS score yet and no public exploits are known, but the flaw is typical of PHP applications that do not properly sanitize user input used in file inclusion functions. The affected product, ThemeREX Artrium, is a WordPress theme used primarily for creative and portfolio websites. The vulnerability was published on March 5, 2026, and was reserved on February 25, 2026. The lack of a patch link indicates that a fix may not yet be publicly available, increasing the urgency for users to apply workarounds or monitor for updates.

The exploitation of this vulnerability can lead to significant confidentiality breaches by allowing attackers to read arbitrary files on the web server, potentially exposing sensitive data such as database credentials, configuration files, or user data. This can also compromise the integrity of the system if attackers leverage the LFI to execute arbitrary code or chain it with other vulnerabilities. Availability impact is generally limited unless the attacker uses the vulnerability to disrupt the application or server. Organizations using the affected theme are at risk of targeted attacks, especially if their web servers are internet-facing and not properly segmented or hardened. The lack of authentication requirements and user interaction makes the attack easier to execute remotely. This can lead to data breaches, unauthorized access, and potential lateral movement within the network, impacting business operations and reputation.

1. Immediately update the ThemeREX Artrium theme to a version that addresses this vulnerability once available. 2. In the absence of an official patch, implement input validation and sanitization on all parameters used in include or require statements to restrict file paths to safe directories only. 3. Employ web application firewalls (WAFs) with rules designed to detect and block attempts to exploit LFI vulnerabilities. 4. Restrict file permissions on the web server to limit access to sensitive files and directories. 5. Disable PHP functions that are not required and can be abused for file inclusion, such as allow_url_include, if applicable. 6. Monitor web server logs for suspicious requests attempting to manipulate file inclusion parameters. 7. Conduct regular security audits and penetration testing focusing on file inclusion and input validation vulnerabilities. 8. Isolate the web server environment to minimize the impact of a potential compromise.