{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28095", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:13:56.811Z", "datePublished": "2026-03-05T05:54:24.760Z", "dateUpdated": "2026-04-28T17:43:08.955Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "marcell", "product": "Marcell", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "1.2.14", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:51:39.751Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Marcell marcell allows PHP Local File Inclusion.<p>This issue affects Marcell: from n/a through <= 1.2.14.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Marcell marcell allows PHP Local File Inclusion.This issue affects Marcell: from n/a through <= 1.2.14."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:07.697Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/marcell/vulnerability/wordpress-marcell-theme-1-2-14-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Marcell theme <= 1.2.14 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T18:41:53.437255Z", "id": "CVE-2026-28095", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:43:08.955Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28095", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-05T18:41:53.437255Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T18:41:15.313Z"}}], "cna": {"title": "WordPress Marcell theme <= 1.2.14 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ThemeREX", "product": "Marcell", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.2.14"}], "packageName": "marcell", "collectionURL": "https://themeforest.net", "defaultStatus": "unaffected"}], "datePublic": "2026-04-28T13:51:39.751Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Theme/marcell/vulnerability/wordpress-marcell-theme-1-2-14-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Marcell marcell allows PHP Local File Inclusion.This issue affects Marcell: from n/a through <= 1.2.14.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Marcell marcell allows PHP Local File Inclusion.<p>This issue affects Marcell: from n/a through <= 1.2.14.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:07.697Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28095", "state": "PUBLISHED", "dateUpdated": "2026-04-28T17:43:08.955Z", "dateReserved": "2026-02-25T12:13:56.811Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-05T05:54:24.760Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Marcell marcell allows PHP Local File Inclusion.This issue affects Marcell: from n/a through <= 1.2.14."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en el programa PHP ('Inclusi\u00f3n Remota de Ficheros PHP') vulnerabilidad en ThemeREX Marcell marcell permite la Inclusi\u00f3n Local de Ficheros PHP. Este problema afecta a Marcell: desde n/a hasta &lt;= 1.2.14."}], "id": "CVE-2026-28095", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:43.710", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/marcell/vulnerability/wordpress-marcell-theme-1-2-14-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.14]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Marcell", "source": "cna", "vendor": "ThemeREX"}, "product": "marcell", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T04:50:54.028795+00:00", "value": {"mitigation_remediation": ["Upgrade the Marcell theme to version 1.2.15 or newer when a patch becomes available.", "Disable the Marcell theme or replace it with a secure alternative if an upgrade is not feasible.", "Set strict file permissions on the WordPress installation to limit file access.", "Enable open_basedir limits to restrict file inclusion to intended directories.", "Monitor website logs for anomalous include/require parameters that could indicate exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Local File Inclusion with potential code execution"}, "threat_synthesis": {"affected_systems": "The issue affects the ThemeREX Marcell WordPress theme up to and including version 1.2.14. Any installation using one of these versions is vulnerable; newer releases are not affected according to the available data.", "description_and_impact": "Improper control of filename parameters in the PHP include/require statements of the Marcell theme allows an attacker to trigger a local file inclusion. This flaw can enable the reading of sensitive files on the server or, if a local PHP file can be uploaded or authored by the attacker, lead to remote code execution on the site. The vulnerability is classified as CWE\u201198, which highlights the risk of uncontrolled input being used as a filename.", "risk_and_exploitability": "The CVSS score of 8.1 reflects a high severity, and the EPSS score of less than 1% indicates a low current exploitation probability. The flaw is not listed in the CISA KEV catalog, so no known widespread exploitation is reported. The likely attack vector involves a crafted HTTP request that supplies a file path to the vulnerable include statement, a technique that requires access to the site\u2019s front\u2011end or an authenticated user context. While the vector is relatively straightforward, successful exploitation depends on the attacker\u2019s ability to influence the filename parameter, which may be limited in some hosting environments."}}}}, "created": "2026-03-06T15:08:40.284275+00:00", "updated": "2026-04-16T05:00:09.667510+00:00", "vendors": ["themerex", "themerex$PRODUCT$marcell", "wordpress", "wordpress$PRODUCT$wordpress"]}