CVE-2026-28118 is a security vulnerability identified in the axiomthemes Welldone WordPress theme, specifically involving improper control over the filename parameter used in PHP include or require statements. This vulnerability manifests as a Local File Inclusion (LFI) flaw, where the application fails to properly validate or sanitize user-supplied input that determines which files are included during runtime. As a result, an attacker can manipulate the filename parameter to include arbitrary files from the server's filesystem. This can lead to sensitive information disclosure, such as configuration files or password stores, and in some cases, if combined with other vulnerabilities or misconfigurations, may allow remote code execution. The affected versions include all releases up to and including version 2.4 of the Welldone theme. The vulnerability was published on March 5, 2026, with no CVSS score assigned and no known exploits reported in the wild at the time of publication. The root cause is the lack of proper input validation and sanitization in the PHP code handling file inclusion. Since WordPress themes are widely used for website presentation, this vulnerability could affect many websites that have not updated or patched the theme. The absence of a patch link indicates that a fix may not yet be publicly available, increasing the urgency for users to implement temporary mitigations.

The impact of CVE-2026-28118 is significant for organizations using the Welldone WordPress theme. Exploitation of this LFI vulnerability can lead to unauthorized disclosure of sensitive server files, including configuration files, credentials, and other critical data, compromising confidentiality. In some scenarios, attackers may leverage the vulnerability to execute arbitrary code or pivot further into the network, affecting integrity and availability. This can result in website defacement, data breaches, or service disruptions. Given the widespread use of WordPress globally, many small to medium-sized businesses and content-driven websites are at risk, especially those that do not regularly update themes or implement security best practices. The lack of authentication requirements and user interaction for exploitation increases the threat level, making automated attacks feasible. Although no active exploits are known, the vulnerability's nature and potential impact warrant urgent attention to prevent future attacks.

To mitigate CVE-2026-28118, organizations should take the following specific actions: 1) Immediately audit all WordPress installations to identify usage of the Welldone theme and determine the version in use. 2) Apply any available patches or updates from axiomthemes as soon as they are released. 3) If patches are not yet available, implement temporary mitigations such as disabling or restricting PHP include/require functionality via configuration or code changes, particularly by enforcing strict whitelisting of allowable file paths. 4) Employ Web Application Firewalls (WAFs) with rules designed to detect and block attempts to exploit LFI vulnerabilities, including suspicious URL parameters or file inclusion patterns. 5) Harden server configurations by disabling remote file inclusion (allow_url_include=Off in php.ini) and restricting file permissions to limit access to sensitive files. 6) Monitor web server logs for unusual requests that attempt to manipulate include parameters. 7) Educate developers and administrators on secure coding practices to validate and sanitize all user inputs related to file operations. 8) Consider isolating or sandboxing web applications to limit the impact of potential compromises. These measures collectively reduce the attack surface and help protect against exploitation until a permanent fix is applied.