CVE-2026-28098 identifies a Local File Inclusion (LFI) vulnerability in the ThemeREX Save Life WordPress theme, specifically in versions up to 1.2.13. The vulnerability stems from improper control over the filename parameter used in PHP include or require statements. This flaw allows an attacker to manipulate the input to these functions, causing the application to include unintended files from the local filesystem. Such an inclusion can lead to disclosure of sensitive information such as configuration files, source code, or other critical data stored on the server. In some cases, LFI can be leveraged to execute arbitrary code, especially if combined with other vulnerabilities like file upload flaws or log poisoning. The vulnerability does not require authentication or user interaction, increasing its risk profile. No public exploits have been reported yet, and no official patches or updates are linked in the provided data, though the issue is publicly disclosed as of March 2026. The lack of a CVSS score necessitates an expert severity assessment. The vulnerability affects the PHP codebase of the theme, which is widely used in WordPress installations, making it a relevant concern for website administrators using this theme.

The primary impact of this vulnerability is unauthorized disclosure of sensitive files, which can include credentials, configuration files, or other critical data, compromising confidentiality. If chained with other vulnerabilities, it could lead to remote code execution, threatening the integrity and availability of affected systems. Exploitation can allow attackers to gain deeper access into the web server environment, potentially leading to full site compromise. For organizations, this can result in data breaches, defacement, loss of customer trust, and regulatory penalties. Since WordPress powers a significant portion of websites globally, and themes like Save Life are used in various sectors including NGOs, small businesses, and personal blogs, the scope of impact is broad. The ease of exploitation without authentication or user interaction increases the likelihood of automated attacks or scanning by threat actors. The absence of known exploits currently limits immediate widespread impact, but the public disclosure increases risk over time if unpatched.

Administrators should immediately check for updates or patches from ThemeREX addressing this vulnerability and apply them as soon as available. In the absence of official patches, temporarily disabling or removing the vulnerable theme is advisable. Implement strict input validation and sanitization on any user-supplied data used in file inclusion functions to prevent manipulation. Employ Web Application Firewalls (WAFs) with rules to detect and block attempts to exploit LFI vulnerabilities, such as suspicious URL patterns or file inclusion attempts. Restrict PHP file inclusion paths using configuration directives like open_basedir to limit accessible directories. Regularly audit and monitor web server logs for unusual access patterns indicative of exploitation attempts. Educate developers and administrators on secure coding practices to avoid similar issues in custom themes or plugins. Finally, maintain regular backups and incident response plans to recover quickly if exploitation occurs.