{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28014", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:13:12.448Z", "datePublished": "2026-03-05T05:54:08.775Z", "dateUpdated": "2026-04-28T17:25:25.348Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "translogic", "product": "Translogic", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "1.2.11", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:35.914Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Translogic translogic allows PHP Local File Inclusion.<p>This issue affects Translogic: from n/a through <= 1.2.11.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Translogic translogic allows PHP Local File Inclusion.This issue affects Translogic: from n/a through <= 1.2.11."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:04.370Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/translogic/vulnerability/wordpress-translogic-theme-1-2-11-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Translogic theme <= 1.2.11 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T15:57:37.690945Z", "id": "CVE-2026-28014", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:25:25.348Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28014", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T15:57:37.690945Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T15:57:05.191Z"}}], "cna": {"title": "WordPress Translogic theme <= 1.2.11 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ThemeREX", "product": "Translogic", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.2.11"}], "packageName": "translogic", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:35.914Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/translogic/vulnerability/wordpress-translogic-theme-1-2-11-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Translogic translogic allows PHP Local File Inclusion.This issue affects Translogic: from n/a through <= 1.2.11.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Translogic translogic allows PHP Local File Inclusion.<p>This issue affects Translogic: from n/a through <= 1.2.11.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:04.370Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28014", "state": "PUBLISHED", "dateUpdated": "2026-04-28T17:25:25.348Z", "dateReserved": "2026-02-25T12:13:12.448Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:54:08.775Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Translogic translogic allows PHP Local File Inclusion.This issue affects Translogic: from n/a through <= 1.2.11."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en un programa PHP, la vulnerabilidad de 'Inclusi\u00f3n remota de ficheros PHP' en ThemeREX Translogic translogic permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Translogic: desde n/a hasta &lt;= 1.2.11."}], "id": "CVE-2026-28014", "lastModified": "2026-04-22T21:26:58.303", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:33.473", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/translogic/vulnerability/wordpress-translogic-theme-1-2-11-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.11]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Translogic", "source": "cna", "vendor": "ThemeREX"}, "product": "translogic", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T12:39:28.481566+00:00", "value": {"mitigation_remediation": ["Update the Translogic theme to a version newer than 1.2.11.", "If an update cannot be applied immediately, edit the theme\u2019s PHP files to validate the filename parameter and restrict include/require calls to a whitelist of approved paths.", "Configure the server to limit PHP include scope, such as by setting open_basedir to only allow the theme\u2019s directories or by disabling directory traversal options."], "summary": {"action": "Upgrade Theme", "impact": "Local File Inclusion potentially enabling code execution"}, "threat_synthesis": {"affected_systems": "ThemeREX Translogic Translogic, all releases up to and including version\u202f1.2.11 are affected. The vendor is identified as ThemeREX:Translogic.", "description_and_impact": "The Translogic theme contains an LFI flaw caused by an unsanitized filename supplied to PHP's include/require statement. If an attacker can supply a path that points to an arbitrary local file, the server will load and execute that file. This vulnerability is classified under \"CWE\u201198\" and may lead to remote code execution if a malicious PHP script is included.\nBased on the description, it is inferred that including a malicious PHP file could lead to remote code execution.\nThe description does not specify whether the attacker needs authenticated access; it is inferred that the attacker would need to influence the filename parameter, possibly via a crafted request to the theme.", "risk_and_exploitability": "The CVSS base score of 8.1 indicates high severity. EPSS is reported as <1%, which suggests a low current exploitation probability, and the vulnerability is not listed in CISA\u2019s KEV catalog. Theoretical exploitation requires an attacker capable of crafting a request that causes the theme to include a local file; successful exploitation can lead to code execution or data disclosure. Because the EPSS is low and it has not been observed in KEV, widespread active exploitation is unlikely at present, but the high CVSS and the nature of the flaw keep the risk significant for affected sites."}}}}, "created": "2026-03-06T15:11:37.669097+00:00", "updated": "2026-04-16T12:45:35.853224+00:00", "vendors": ["themerex", "themerex$PRODUCT$translogic", "wordpress", "wordpress$PRODUCT$wordpress"]}