{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28033", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:13:25.489Z", "datePublished": "2026-03-05T05:54:13.558Z", "dateUpdated": "2026-04-28T17:31:51.500Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "edifice", "product": "Edifice", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "1.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:45.118Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Edifice edifice allows PHP Local File Inclusion.<p>This issue affects Edifice: from n/a through <= 1.8.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Edifice edifice allows PHP Local File Inclusion.This issue affects Edifice: from n/a through <= 1.8."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:04.867Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/edifice/vulnerability/wordpress-edifice-theme-1-8-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Edifice theme <= 1.8 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-06T12:26:37.619340Z", "id": "CVE-2026-28033", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:31:51.500Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28033", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-06T12:26:37.619340Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T12:26:31.569Z"}}], "cna": {"title": "WordPress Edifice theme <= 1.8 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ThemeREX", "product": "Edifice", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.8"}], "packageName": "edifice", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:45.118Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/edifice/vulnerability/wordpress-edifice-theme-1-8-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Edifice edifice allows PHP Local File Inclusion.This issue affects Edifice: from n/a through <= 1.8.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Edifice edifice allows PHP Local File Inclusion.<p>This issue affects Edifice: from n/a through <= 1.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:04.867Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28033", "state": "PUBLISHED", "dateUpdated": "2026-04-28T17:31:51.500Z", "dateReserved": "2026-02-25T12:13:25.489Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:54:13.558Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Edifice edifice allows PHP Local File Inclusion.This issue affects Edifice: from n/a through <= 1.8."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en un programa PHP (vulnerabilidad de 'inclusi\u00f3n remota de ficheros PHP') en ThemeREX Edifice edifice permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Edifice: desde n/a hasta &lt;= 1.8."}], "id": "CVE-2026-28033", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:36.060", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/edifice/vulnerability/wordpress-edifice-theme-1-8-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Edifice", "source": "cna", "vendor": "ThemeREX"}, "product": "edifice", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T04:58:05.362926+00:00", "value": {"mitigation_remediation": ["Update the Edifice theme to the latest version that removes the vulnerable include logic (at least 1.9 or later).", "If an update is not yet available or cannot be applied, manually modify the theme files to remove or secure the include/require statements that accept user\u2011controlled filenames, for example by validating the path against an allow\u2011list.", "Harden the WordPress installation by disabling PHP remote file inclusion (set allow_url_fopen to Off) and ensuring that web\u2011accessible directories are not readable by the web user, limiting exposure if LFI is exploited."], "summary": {"action": "Patch Immediately", "impact": "Local File Inclusion leading to potential remote code execution"}, "threat_synthesis": {"affected_systems": "The flaw affects the WordPress theme authored by ThemeREX, named Edifice, in all releases through version 1.8. Users who have not upgraded beyond 1.8 are susceptible.", "description_and_impact": "The vulnerability is an improper control of filenames in PHP include/require statements, categorized as a Local File Inclusion (CWE\u201198). An attacker can supply crafted input that causes the Edifice theme to include arbitrary local files, potentially exposing sensitive configuration data or executing attacker\u2011supplied PHP code. This allows a privileged attacker or one with basic web access to read or run files on the server, leading to confidentiality and integrity violations and possibly full remote code execution.", "risk_and_exploitability": "The CVSS score of 8.1 reflects a high severity vulnerability that can be triggered by remote attackers via the web interface when the Edifice theme is active (inferred). The EPSS value is below 1%, indicating a very low current exploit probability, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. While the likelihood of exploitation remains low, the potential impact\u2014local file read, possibly leading to remote code execution\u2014justifies prompt remediation."}}}}, "created": "2026-03-06T15:11:21.277388+00:00", "updated": "2026-04-16T05:00:09.697026+00:00", "vendors": ["themerex", "themerex$PRODUCT$edifice", "wordpress", "wordpress$PRODUCT$wordpress"]}