{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28028", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:13:18.740Z", "datePublished": "2026-03-05T05:54:12.174Z", "dateUpdated": "2026-04-28T17:31:01.215Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "moneyflow", "product": "MoneyFlow", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "1.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:42.175Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX MoneyFlow moneyflow allows PHP Local File Inclusion.<p>This issue affects MoneyFlow: from n/a through <= 1.0.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX MoneyFlow moneyflow allows PHP Local File Inclusion.This issue affects MoneyFlow: from n/a through <= 1.0."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:04.878Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/moneyflow/vulnerability/wordpress-moneyflow-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress MoneyFlow theme <= 1.0 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T19:32:53.478956Z", "id": "CVE-2026-28028", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:31:01.215Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28028", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T19:32:53.478956Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T19:31:21.154Z"}}], "cna": {"title": "WordPress MoneyFlow theme <= 1.0 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ThemeREX", "product": "MoneyFlow", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.0"}], "packageName": "moneyflow", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:42.175Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/moneyflow/vulnerability/wordpress-moneyflow-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX MoneyFlow moneyflow allows PHP Local File Inclusion.This issue affects MoneyFlow: from n/a through <= 1.0.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX MoneyFlow moneyflow allows PHP Local File Inclusion.<p>This issue affects MoneyFlow: from n/a through <= 1.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:04.878Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28028", "state": "PUBLISHED", "dateUpdated": "2026-04-28T17:31:01.215Z", "dateReserved": "2026-02-25T12:13:18.740Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:54:12.174Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX MoneyFlow moneyflow allows PHP Local File Inclusion.This issue affects MoneyFlow: from n/a through <= 1.0."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la sentencia include/require en un programa PHP ('inclusi\u00f3n remota de ficheros PHP') vulnerabilidad en ThemeREX MoneyFlow moneyflow permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a MoneyFlow: desde n/a hasta &lt;= 1.0."}], "id": "CVE-2026-28028", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:35.373", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/moneyflow/vulnerability/wordpress-moneyflow-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "MoneyFlow", "source": "cna", "vendor": "ThemeREX"}, "product": "moneyflow", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T04:59:46.179521+00:00", "value": {"mitigation_remediation": ["Upgrade the MoneyFlow theme to the latest release that contains the LFI fix if one is available.", "If an update is not yet released, restrict or validate the filenames used in include/require calls by whitelisting known safe paths and rejecting arbitrary input.", "Modify file system permissions so that the WordPress web process can read only the directories containing legitimate theme files and cannot read sensitive configuration files."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion (potential execution)"}, "threat_synthesis": {"affected_systems": "The impact applies to the ThemeREX MoneyFlow theme for WordPress, affecting all installations of version 1.0 and earlier. No specific patch versions are listed in the advisory; vendors recommend using a newer release if available.", "description_and_impact": "This vulnerability occurs because the MoneyFlow theme fails to properly control the filename used in PHP include/require statements, allowing an attacker to craft requests that cause the application to include unintended local files. The flaw can lead to disclosure of sensitive configuration files, user credentials, or even execution of arbitrary PHP code if the attacker can influence the path to a file that contains malicious content. The weakness is categorized as CWE\u201198, which highlights improper handling of file names in include operations.", "risk_and_exploitability": "The CVSS base score of 8.1 indicates a high\u2011severity flaw; the EPSS score of less than 1% suggests a low likelihood of mass exploitation at present. This issue is not currently listed in the CISA KEV catalog. Because the vulnerability relies on an attacker manipulating request parameters that dictate a file path, the attack vector is inferred to be through the public web interface, typically by submitting a crafted URL that the theme processes without validation."}}}}, "created": "2026-03-06T15:11:25.727457+00:00", "updated": "2026-04-16T05:00:09.698449+00:00", "vendors": ["themerex", "themerex$PRODUCT$moneyflow", "wordpress", "wordpress$PRODUCT$wordpress"]}