CVE-2026-28124 is a Local File Inclusion (LFI) vulnerability affecting AncoraThemes Notarius, a WordPress theme, in versions up to and including 1.9. The vulnerability stems from improper validation and control of filenames used in PHP include or require statements. This flaw allows an attacker to manipulate the file path parameter, causing the application to include unintended files from the local filesystem. Such an inclusion can lead to disclosure of sensitive information (e.g., configuration files, password files), execution of arbitrary PHP code if an attacker can upload or control files, or even full system compromise in some scenarios. The vulnerability does not require authentication or user interaction, increasing its risk profile. Although no known public exploits exist yet, the nature of LFI vulnerabilities makes them attractive targets for attackers. The issue was reserved in late February 2026 and published in early March 2026, but no patches or fixes have been officially released by AncoraThemes as of now. The affected product is primarily used within WordPress environments, which are widely deployed globally, especially in small to medium-sized business websites. The lack of a CVSS score necessitates an expert severity assessment based on impact and exploitability factors.

The impact of CVE-2026-28124 can be severe for organizations using the vulnerable Notarius theme. Successful exploitation can lead to unauthorized disclosure of sensitive files, including credentials, configuration files, and source code, compromising confidentiality. If attackers can execute arbitrary PHP code via file inclusion, they may gain full control over the web server, leading to integrity and availability impacts such as data tampering, website defacement, or denial of service. The vulnerability requires no authentication, making it exploitable by remote attackers without prior access. Organizations relying on Notarius for their web presence risk reputational damage, data breaches, and potential lateral movement within their networks. The widespread use of WordPress themes increases the potential attack surface, especially for sites with weak overall security controls. The absence of known exploits currently limits immediate risk, but the vulnerability remains a critical concern until patched.

To mitigate CVE-2026-28124, organizations should immediately audit their WordPress installations to identify the use of the AncoraThemes Notarius theme, particularly versions up to 1.9. Until an official patch is released, administrators should consider disabling or replacing the vulnerable theme. Implement strict input validation and sanitization on any parameters that influence file inclusion to prevent path traversal or manipulation. Employ web application firewalls (WAFs) with rules designed to detect and block suspicious file inclusion attempts. Restrict PHP's include_path and disable dangerous PHP functions such as include(), require(), and their variants if not needed. Monitor server logs for unusual file access patterns or errors indicative of LFI attempts. Regularly back up website data and maintain an incident response plan to quickly address potential compromises. Engage with AncoraThemes or trusted security vendors for updates and patches as they become available.