{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28061", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:13:34.841Z", "datePublished": "2026-03-05T05:54:18.780Z", "dateUpdated": "2026-04-28T17:36:10.759Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "tiger-claw", "product": "Tiger Claw", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "1.1.14", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:50.968Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tiger Claw tiger-claw allows PHP Local File Inclusion.<p>This issue affects Tiger Claw: from n/a through <= 1.1.14.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tiger Claw tiger-claw allows PHP Local File Inclusion.This issue affects Tiger Claw: from n/a through <= 1.1.14."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:05.998Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/tiger-claw/vulnerability/wordpress-tiger-claw-theme-1-1-14-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Tiger Claw theme <= 1.1.14 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T19:47:30.413881Z", "id": "CVE-2026-28061", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:36:10.759Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28061", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-05T19:47:30.413881Z"}}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T19:47:26.613Z"}}], "cna": {"title": "WordPress Tiger Claw theme <= 1.1.14 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ThemeREX", "product": "Tiger Claw", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.1.14"}], "packageName": "tiger-claw", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:50.968Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/tiger-claw/vulnerability/wordpress-tiger-claw-theme-1-1-14-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tiger Claw tiger-claw allows PHP Local File Inclusion.This issue affects Tiger Claw: from n/a through <= 1.1.14.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tiger Claw tiger-claw allows PHP Local File Inclusion.<p>This issue affects Tiger Claw: from n/a through <= 1.1.14.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:05.998Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28061", "state": "PUBLISHED", "dateUpdated": "2026-04-28T17:36:10.759Z", "dateReserved": "2026-02-25T12:13:34.841Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:54:18.780Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tiger Claw tiger-claw allows PHP Local File Inclusion.This issue affects Tiger Claw: from n/a through <= 1.1.14."}, {"lang": "es", "value": "Vulnerabilidad de control inadecuado del nombre de fichero para la sentencia include/require en un programa PHP ('Inclusi\u00f3n Remota de Ficheros PHP') en ThemeREX Tiger Claw tiger-claw permite la inclusi\u00f3n local de ficheros PHP. Este problema afecta a Tiger Claw: desde n/a hasta &lt;= 1.1.14."}], "id": "CVE-2026-28061", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:39.803", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/tiger-claw/vulnerability/wordpress-tiger-claw-theme-1-1-14-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.14]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Tiger Claw", "source": "cna", "vendor": "ThemeREX"}, "product": "tiger_claw", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T04:55:29.682635+00:00", "value": {"mitigation_remediation": ["Upgrade the ThemeREX Tiger Claw theme to version 1.1.15 or later, which removes the unsanitized include/require functionality.", "If upgrading immediately is not possible, sanitize all file path inputs by restricting them to a whitelist of allowed filenames or directories and stripping any path\u2011traversal characters such as '..'.", "Implement a web\u2011application firewall rule or server\u2011level configuration to block requests containing suspicious file inclusion patterns or attempts to access system files (e.g., /etc/passwd, /var/www/html/..)."], "summary": {"action": "Patch Immediately", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "The WordPress theme Tiger Claw from ThemeREX is affected. All releases from its initial version through 1.1.14 contain the vulnerability. Any installation using a version equal to or older than 1.1.14 is vulnerable; newer releases are not impacted.", "description_and_impact": "The vulnerability is an improper control of the filename used in PHP include/require statements (CWE\u201198). In affected versions of the ThemeREX Tiger Claw theme, a user\u2011controlled parameter can dictate the file that is included, allowing the inclusion of arbitrary local files. The description indicates that if a PHP file is served by the inclusion, code execution within the application context could result. This inference is derived from the statement that the issue allows local file inclusion and the known consequences of LFI attacks. The primary impact is potential disclosure of sensitive files and possible remote code execution if the attacker can provoke the inclusion of a PHP file.", "risk_and_exploitability": "CVE carries a CVSS v3.1 score of 8.1, classifying it as high severity. The EPSS score is reported as <1%, indicating that exploitation in the wild is currently rare. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves supplying a crafted URL or input that alters the filename passed to include/require statements; this inference is made because the description states that the file name is improperly controlled. The exploitation does not require authentication, suggesting any user who can send a request to the vulnerable endpoint could potentially trigger the inclusion. Proper input validation or isolation would mitigate the issue."}}}}, "created": "2026-03-06T15:10:57.251155+00:00", "updated": "2026-04-16T05:00:09.686863+00:00", "vendors": ["themerex", "themerex$PRODUCT$tiger_claw", "wordpress", "wordpress$PRODUCT$wordpress"]}