{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28098", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:13:56.812Z", "datePublished": "2026-03-05T05:54:25.315Z", "dateUpdated": "2026-04-28T17:43:37.909Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "save-life", "product": "Save Life", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "1.2.13", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:51:41.510Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Save Life save-life allows PHP Local File Inclusion.<p>This issue affects Save Life: from n/a through <= 1.2.13.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Save Life save-life allows PHP Local File Inclusion.This issue affects Save Life: from n/a through <= 1.2.13."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:07.690Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/save-life/vulnerability/wordpress-save-life-theme-1-2-13-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Save Life theme <= 1.2.13 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T17:03:32.694175Z", "id": "CVE-2026-28098", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:43:37.909Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28098", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:13:56.812Z", "datePublished": "2026-03-05T05:54:25.315Z", "dateUpdated": "2026-04-28T17:43:37.909Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "save-life", "product": "Save Life", "vendor": "ThemeREX", "versions": [{"lessThanOrEqual": "1.2.13", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bonds | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:51:41.510Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Save Life save-life allows PHP Local File Inclusion.<p>This issue affects Save Life: from n/a through <= 1.2.13.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Save Life save-life allows PHP Local File Inclusion.This issue affects Save Life: from n/a through <= 1.2.13."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:07.690Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/save-life/vulnerability/wordpress-save-life-theme-1-2-13-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress Save Life theme <= 1.2.13 - Local File Inclusion vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28098", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-05T17:03:32.694175Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T17:03:24.308Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Save Life save-life allows PHP Local File Inclusion.This issue affects Save Life: from n/a through <= 1.2.13."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n Include/Require en el programa PHP ('Inclusi\u00f3n Remota de Ficheros PHP') vulnerabilidad en ThemeREX Save Life save-life permite la Inclusi\u00f3n Local de Ficheros PHP. Este problema afecta a Save Life: desde n/a hasta &lt;= 1.2.13."}], "id": "CVE-2026-28098", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:44.100", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/save-life/vulnerability/wordpress-save-life-theme-1-2-13-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.13]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Save Life", "source": "cna", "vendor": "ThemeREX"}, "product": "save_life", "vendor": "themerex"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:01:51.374526+00:00", "value": {"mitigation_remediation": ["Upgrade the Save Life theme to a version later than 1.2.13, as the latest releases contain the fix for the Local File Inclusion flaw.", "If an upgrade cannot be performed immediately, remove or disable the theme from the site to eliminate the attack vector.", "Apply an input validation whitelist for include paths or configure the web server/PHP to disallow user-supplied filenames for includes, thereby preventing the exploitation of the vulnerability."], "summary": {"action": "Update Theme", "impact": "Local File Inclusion allowing disclosure of file contents and potential code execution"}, "threat_synthesis": {"affected_systems": "WordPress sites using ThemeREX Save Life theme version 1.2.13 or earlier are affected. Any installation still running these or older versions is vulnerable and should be verified via the WordPress admin interface or the plugin directory.", "description_and_impact": "The vulnerability is an improper control of filename for an include or require statement, permitting a Local File Inclusion attack. By manipulating the filename parameter used by the theme, an attacker can read arbitrary local files and, if they can provide a PHP file, execute code. This weakness falls under CWE-98, which concerns using uncontrolled input as a filename in requires or includes.", "risk_and_exploitability": "The CVSS base score of 8.1 indicates high severity, but the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely involve submitting a crafted request that directs the theme to include a targeted file path, which could be performed by an unauthenticated user if the parameter is publicly exposed. The impact is limited to the server\u2019s file system, but the ability to execute PHP code could elevate the risk substantially if the attacker succeeds."}}}}, "created": "2026-03-06T15:08:37.656422+00:00", "updated": "2026-04-15T20:15:13.701193+00:00", "vendors": ["themerex", "themerex$PRODUCT$save_life", "wordpress", "wordpress$PRODUCT$wordpress"]}