{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28030", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:13:18.740Z", "datePublished": "2026-03-05T05:54:12.578Z", "dateUpdated": "2026-04-28T17:31:20.746Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "bonbon", "product": "Bonbon", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "1.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:42.852Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Bonbon bonbon allows PHP Local File Inclusion.<p>This issue affects Bonbon: from n/a through <= 1.6.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Bonbon bonbon allows PHP Local File Inclusion.This issue affects Bonbon: from n/a through <= 1.6."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:04.653Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/bonbon/vulnerability/wordpress-bonbon-theme-1-6-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Bonbon theme <= 1.6 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T19:24:38.999662Z", "id": "CVE-2026-28030", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:31:20.746Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28030", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T19:24:38.999662Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T19:24:12.190Z"}}], "cna": {"title": "WordPress Bonbon theme <= 1.6 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ThemeREX", "product": "Bonbon", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.6"}], "packageName": "bonbon", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:42.852Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/bonbon/vulnerability/wordpress-bonbon-theme-1-6-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Bonbon bonbon allows PHP Local File Inclusion.This issue affects Bonbon: from n/a through <= 1.6.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Bonbon bonbon allows PHP Local File Inclusion.<p>This issue affects Bonbon: from n/a through <= 1.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:04.653Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28030", "state": "PUBLISHED", "dateUpdated": "2026-04-28T17:31:20.746Z", "dateReserved": "2026-02-25T12:13:18.740Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:54:12.578Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Bonbon bonbon allows PHP Local File Inclusion.This issue affects Bonbon: from n/a through <= 1.6."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en un programa PHP ('vulnerabilidad de inclusi\u00f3n remota de ficheros PHP') en ThemeREX Bonbon bonbon permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Bonbon: desde n/a hasta &lt;= 1.6."}], "id": "CVE-2026-28030", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:35.637", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/bonbon/vulnerability/wordpress-bonbon-theme-1-6-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Bonbon", "source": "cna", "vendor": "ThemeREX"}, "product": "bonbon", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T04:58:40.889041+00:00", "value": {"mitigation_remediation": ["Update the Bonbon theme to the latest release that contains the fix for the local file inclusion vulnerability.", "If no fix is currently available, disable or remove the Bonbon theme until a patch is released, or replace it with a vetted, secure alternative.", "Review the theme's code or WordPress configuration to ensure that any dynamic file paths are validated against an allowed list, and configure the application to prevent unchecked includes based on user input."], "summary": {"action": "Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The ThemeREX Bonbon WordPress theme is affected. All versions up through 1.6 are vulnerable; no later version information is provided.", "description_and_impact": "Improper control of file names in PHP include/require statements allows attackers to trigger local file inclusion in the Bonbon WordPress theme. The flaw, identified as CWE\u201198, could enable an attacker to execute arbitrary PHP code on a vulnerable site if a crafted file path can be supplied. The vulnerability is described as a PHP Remote File Inclusion issue that operates as local file inclusion, jeopardizing the confidentiality, integrity, and availability of the affected WordPress installation.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity vulnerability. The EPSS rating of less than 1% suggests that exploitable incidents are relatively rare, yet the flaw can be leveraged in a local context if an attacker can influence file inclusion paths. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local file inclusion driven by unsanitized inputs in the theme\u2019s PHP code, potentially requiring local access or a path traversal capability to abuse the flaw."}}}}, "created": "2026-03-06T15:11:24.055010+00:00", "updated": "2026-04-16T05:00:09.697709+00:00", "vendors": ["themerex", "themerex$PRODUCT$bonbon", "wordpress", "wordpress$PRODUCT$wordpress"]}