{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28007", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:13:06.634Z", "datePublished": "2026-03-05T05:54:07.474Z", "dateUpdated": "2026-04-28T17:24:33.714Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "coinpress", "product": "Coinpress", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "1.0.14", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:34.411Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Coinpress coinpress allows PHP Local File Inclusion.<p>This issue affects Coinpress: from n/a through <= 1.0.14.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Coinpress coinpress allows PHP Local File Inclusion.This issue affects Coinpress: from n/a through <= 1.0.14."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:04.048Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/coinpress/vulnerability/wordpress-coinpress-theme-1-0-14-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Coinpress theme <= 1.0.14 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T19:57:43.151328Z", "id": "CVE-2026-28007", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:24:33.714Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28007", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-05T19:57:43.151328Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T19:57:01.302Z"}}], "cna": {"title": "WordPress Coinpress theme <= 1.0.14 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ThemeREX", "product": "Coinpress", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0.14"}], "packageName": "coinpress", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:34.411Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/coinpress/vulnerability/wordpress-coinpress-theme-1-0-14-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Coinpress coinpress allows PHP Local File Inclusion.This issue affects Coinpress: from n/a through <= 1.0.14.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Coinpress coinpress allows PHP Local File Inclusion.<p>This issue affects Coinpress: from n/a through <= 1.0.14.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:04.048Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28007", "state": "PUBLISHED", "dateUpdated": "2026-04-28T17:24:33.714Z", "dateReserved": "2026-02-25T12:13:06.634Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:54:07.474Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Coinpress coinpress allows PHP Local File Inclusion.This issue affects Coinpress: from n/a through <= 1.0.14."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en programa PHP, la vulnerabilidad 'PHP Remote File Inclusion' en ThemeREX Coinpress coinpress permite inclusi\u00f3n local de ficheros PHP. Este problema afecta a Coinpress: desde n/a hasta &lt;= 1.0.14."}], "id": "CVE-2026-28007", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:32.687", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/coinpress/vulnerability/wordpress-coinpress-theme-1-0-14-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.14]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "coinpress", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T12:40:15.722246+00:00", "value": {"mitigation_remediation": ["Upgrade the Coinpress theme to a version newer than 1.0.14, which removes the vulnerable include logic.", "If an upgrade is not available, remove or disable the theme until it can be patched. Verify that the theme\u2019s file inclusion points are disabled or have hard\u2011coded safe paths.", "Implement input validation or hard\u2011code the file list in the theme\u2019s PHP code to prevent arbitrary files from being included and ensure that the server\u2019s include paths restrict to the theme directory only."], "summary": {"action": "Apply Patch", "impact": "Local File Inclusion potentially leading to code execution"}, "threat_synthesis": {"affected_systems": "Coinpress theme for WordPress, developed by ThemeREX, is affected on all releases from the initial available version up to and including 1.0.14. Users who have installed any of these versions and are maintaining the theme with the default file include logic are impacted. No specific WordPress core versions are listed as affected.", "description_and_impact": "The vulnerability is an improper control of the filename in a PHP include/require statement. An attacker could supply a crafted filename that is resolved on the file system, allowing inclusion of local files. Because the inclusion occurs within the theme\u2019s PHP code, arbitrary code execution is possible after the file is included. The weakness is classified as CWE-98 and carries a CVSS score of 8.1, indicating high severity. The impact manifests as a loss of confidentiality, integrity, and availability for the affected site once the attacker gains code execution.", "risk_and_exploitability": "The EPSS score is reported as less than 1%, suggesting a low probability of exploitation in the wild at the time of analysis. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is a local file inclusion triggered by a parameter sent to the theme or a crafted URL that influences the include path. Successful exploitation would require that the attacker can control the input to the file inclusion mechanism, a condition that can be met via a weakness in the theme\u2019s producer or a misconfiguration of WordPress that allows remote file uploads or path manipulation."}}}}, "created": "2026-03-06T15:11:42.830739+00:00", "updated": "2026-04-16T12:45:35.855772+00:00", "vendors": ["themerex", "themerex$PRODUCT$coinpress", "wordpress", "wordpress$PRODUCT$wordpress"]}