{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28051", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:13:30.135Z", "datePublished": "2026-03-05T05:54:16.778Z", "dateUpdated": "2026-04-28T17:34:22.065Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "yacht-rental", "product": "Yacht Rental", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "2.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:46.820Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yacht Rental yacht-rental allows PHP Local File Inclusion.<p>This issue affects Yacht Rental: from n/a through <= 2.6.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yacht Rental yacht-rental allows PHP Local File Inclusion.This issue affects Yacht Rental: from n/a through <= 2.6."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:05.261Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/yacht-rental/vulnerability/wordpress-yacht-rental-theme-2-6-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Yacht Rental theme <= 2.6 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T21:15:27.293272Z", "id": "CVE-2026-28051", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:34:22.065Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28051", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-05T21:15:27.293272Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T21:15:05.147Z"}}], "cna": {"title": "WordPress Yacht Rental theme <= 2.6 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ThemeREX", "product": "Yacht Rental", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.6"}], "packageName": "yacht-rental", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:46.820Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/yacht-rental/vulnerability/wordpress-yacht-rental-theme-2-6-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yacht Rental yacht-rental allows PHP Local File Inclusion.This issue affects Yacht Rental: from n/a through <= 2.6.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yacht Rental yacht-rental allows PHP Local File Inclusion.<p>This issue affects Yacht Rental: from n/a through <= 2.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:05.261Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28051", "state": "PUBLISHED", "dateUpdated": "2026-04-28T17:34:22.065Z", "dateReserved": "2026-02-25T12:13:30.135Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:54:16.778Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yacht Rental yacht-rental allows PHP Local File Inclusion.This issue affects Yacht Rental: from n/a through <= 2.6."}, {"lang": "es", "value": "Vulnerabilidad de control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en un programa PHP ('Inclusi\u00f3n Remota de Ficheros PHP') en ThemeREX Yacht Rental yacht-rental permite la Inclusi\u00f3n Local de Ficheros PHP. Este problema afecta a Yacht Rental: desde n/a hasta &lt;= 2.6."}], "id": "CVE-2026-28051", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:38.290", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/yacht-rental/vulnerability/wordpress-yacht-rental-theme-2-6-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Yacht Rental", "source": "cna", "vendor": "ThemeREX"}, "product": "yacht_rental", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T23:06:36.564098+00:00", "value": {"mitigation_remediation": ["Upgrade the Yacht Rental theme to any version later than 2.6 where the inclusion logic has been fixed.", "If an upgrade is not immediately possible, modify the theme\u2019s source or use a filtering hook to sanitize any user\u2011supplied filename values before they reach the include/require statement, ensuring only whitelisted files are accepted.", "Configure the web server or an .htaccess file to disable PHP execution in directories used for file inclusion within the theme, adding a \"php_admin_flag engine off\" or appropriate directives to prevent any included files from running as scripts."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "WordPress sites using the ThemeREX Yacht Rental theme with a version number of 2.6 or earlier are affected. No further sub\u2011version details are provided, so any deployment of the theme as supplied in the 2.6 release or earlier must be considered vulnerable.", "description_and_impact": "The Yacht Rental theme from ThemeREX contains an improper control of filename in its PHP include/require logic, enabling local file inclusion for versions up to 2.6. An attacker can manipulate the requested filename, causing the server to include and potentially execute arbitrary local files. This can lead to disclosure of sensitive configuration files, user data, or, if a PHP file is included, remote code execution within the context of the web application. The flaw directly threatens confidentiality, and, depending on the files accessed, could also affect integrity and availability. The vulnerability is a classic example of CWE\u201198, which focuses on unsafe file inclusion and path traversal issues.", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity with full network exposure. The EPSS score of less than 1% suggests that while the exploitation likelihood is currently low, it is not negligible. The vulnerability is not listed in the CISA KEV catalog, but the remote nature of an HTTP request to trigger the include makes it accessible to unauthenticated users. An attacker could craft a URL with a tampered parameter to point the include to a local file such as /etc/passwd, a server configuration file, or a PHP script that may lead to code execution. Thus, systems should be treated as high risk until mitigated."}}}}, "created": "2026-03-06T15:11:06.451886+00:00", "updated": "2026-04-15T23:15:17.757823+00:00", "vendors": ["themerex", "themerex$PRODUCT$yacht_rental", "wordpress", "wordpress$PRODUCT$wordpress"]}