{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28081", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:13:47.060Z", "datePublished": "2026-03-05T05:54:22.328Z", "dateUpdated": "2026-04-28T17:41:17.068Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "windsor", "product": "Windsor", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "2.5.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:05:54.274Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Windsor windsor allows PHP Local File Inclusion.<p>This issue affects Windsor: from n/a through <= 2.5.0.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Windsor windsor allows PHP Local File Inclusion.This issue affects Windsor: from n/a through <= 2.5.0."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:07.057Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/windsor/vulnerability/wordpress-windsor-theme-2-5-0-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Windsor theme <= 2.5.0 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T19:38:01.254148Z", "id": "CVE-2026-28081", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:41:17.068Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28081", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-05T19:38:01.254148Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T19:36:52.639Z"}}], "cna": {"title": "WordPress Windsor theme <= 2.5.0 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ThemeREX", "product": "Windsor", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.5.0"}], "packageName": "windsor", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:05:54.274Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/windsor/vulnerability/wordpress-windsor-theme-2-5-0-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Windsor windsor allows PHP Local File Inclusion.This issue affects Windsor: from n/a through <= 2.5.0.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Windsor windsor allows PHP Local File Inclusion.<p>This issue affects Windsor: from n/a through <= 2.5.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:07.057Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28081", "state": "PUBLISHED", "dateUpdated": "2026-04-28T17:41:17.068Z", "dateReserved": "2026-02-25T12:13:47.060Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:54:22.328Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Windsor windsor allows PHP Local File Inclusion.This issue affects Windsor: from n/a through <= 2.5.0."}, {"lang": "es", "value": "Vulnerabilidad de Control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en el programa PHP ('Inclusi\u00f3n Remota de Ficheros PHP') en ThemeREX Windsor windsor permite la Inclusi\u00f3n Local de Ficheros PHP. Este problema afecta a Windsor: desde n/a hasta &lt;= 2.5.0."}], "id": "CVE-2026-28081", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:42.110", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/windsor/vulnerability/wordpress-windsor-theme-2-5-0-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Windsor", "source": "cna", "vendor": "ThemeREX"}, "product": "windsor", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T22:57:52.604058+00:00", "value": {"mitigation_remediation": ["Update the Windsor theme to a version newer than 2.5.0 or apply the official vendor patch if available", "If an update is not feasible, deactivate or remove the Windsor theme until a fixed version is released", "Review and restrict PHP file inclusion paths within the theme and enforce proper input validation to prevent path traversal"], "summary": {"action": "Patch Immediately", "impact": "Local File Inclusion"}, "threat_synthesis": {"affected_systems": "WordPress sites using the ThemeREX Windsor theme, versions n/a through 2.5.0, are affected.", "description_and_impact": "The Windsor WordPress theme contains an improper control of filename for the include/require statement in PHP, permitting local file inclusion for any version up to 2.5.0. An attacker can supply a crafted path that the theme includes, allowing read access to arbitrary files on the web server such as configuration, password, or code files. This leads to information disclosure, credential theft, and can be a stepping stone to more severe attacks. The weakness is classified as CWE-98.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.1, indicating high severity. The EPSS score is less than 1\u202f%, suggesting a low probability of exploitation at present, and the issue is not listed in the CISA KEV catalog. The likely attack vector is local file inclusion via a publicly accessible parameter that feeds into the theme\u2019s include logic; the attacker needs sufficient file system access to read requested files, and the vulnerability appears to be exploitable without additional privilege escalation."}}}}, "created": "2026-03-06T15:08:50.383550+00:00", "updated": "2026-04-15T23:00:10.463794+00:00", "vendors": ["themerex", "themerex$PRODUCT$windsor", "wordpress", "wordpress$PRODUCT$wordpress"]}