CVE-2026-28128 is a Local File Inclusion (LFI) vulnerability found in the ThemeREX Verse WordPress theme, affecting versions up to 1.7.0. The vulnerability arises from improper control over the filename parameter used in PHP include or require statements. This flaw allows an attacker to manipulate the filename input to include arbitrary files from the server's filesystem. LFI vulnerabilities can lead to sensitive information disclosure, such as configuration files, password files, or other critical data stored on the server. In some cases, LFI can be chained with other vulnerabilities to achieve remote code execution, making it a serious threat. The vulnerability was publicly disclosed on March 5, 2026, but no CVSS score or official patch has been provided yet. The issue does not require authentication, meaning any unauthenticated attacker can attempt exploitation if the vulnerable theme is active on a WordPress site. While no known exploits are currently in the wild, the widespread use of WordPress and popularity of ThemeREX themes increase the risk of targeted attacks. The vulnerability is categorized under improper control of filenames in include/require statements, a common PHP security issue that can be mitigated by strict input validation and sanitization.

The impact of CVE-2026-28128 can be significant for organizations using the vulnerable ThemeREX Verse theme. Successful exploitation could allow attackers to read arbitrary files on the web server, potentially exposing sensitive configuration files, credentials, or user data. This can lead to further compromise, including privilege escalation or remote code execution if combined with other vulnerabilities. The confidentiality and integrity of data hosted on affected systems are at risk. Availability impact is generally lower but could occur if attackers use the vulnerability to disrupt services or execute malicious code. Given the ease of exploitation without authentication and the popularity of WordPress themes, the threat could affect a broad range of organizations, including businesses, government agencies, and non-profits relying on WordPress for their websites. The lack of an official patch increases the window of exposure, emphasizing the need for immediate mitigation.

1. Immediately audit all WordPress installations to identify those using the ThemeREX Verse theme, especially versions up to 1.7.0. 2. Disable or remove the vulnerable theme until a security patch is released by the vendor. 3. Implement strict input validation and sanitization on any user-controllable parameters related to file inclusion within custom code or plugins. 4. Restrict file system permissions to limit the web server's access to sensitive directories and files, minimizing the impact of potential LFI exploitation. 5. Monitor web server logs and application logs for suspicious requests attempting to manipulate include or require parameters. 6. Employ Web Application Firewalls (WAFs) with rules designed to detect and block LFI attack patterns targeting PHP applications. 7. Keep WordPress core, themes, and plugins updated regularly to reduce exposure to known vulnerabilities. 8. Prepare an incident response plan to quickly address any signs of compromise related to this vulnerability. 9. Follow vendor communications closely for the release of official patches or updates addressing this issue.