{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28117", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:14:07.578Z", "datePublished": "2026-03-05T05:54:28.342Z", "dateUpdated": "2026-04-28T17:46:10.852Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "smartSEO", "product": "smart SEO", "vendor": "axiomthemes", "versions": [{"lessThanOrEqual": "2.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:51:49.413Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes smart SEO smartSEO allows PHP Local File Inclusion.<p>This issue affects smart SEO: from n/a through <= 2.9.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes smart SEO smartSEO allows PHP Local File Inclusion.This issue affects smart SEO: from n/a through <= 2.9."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:08.638Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/smartSEO/vulnerability/wordpress-smart-seo-theme-2-9-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress smart SEO theme <= 2.9 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-05T15:31:04.663763Z", "id": "CVE-2026-28117", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T17:46:10.852Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28117", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-25T12:14:07.578Z", "datePublished": "2026-03-05T05:54:28.342Z", "dateUpdated": "2026-04-28T17:46:10.852Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://themeforest.net", "defaultStatus": "unaffected", "packageName": "smartSEO", "product": "smart SEO", "vendor": "axiomthemes", "versions": [{"lessThanOrEqual": "2.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-28T13:51:49.413Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes smart SEO smartSEO allows PHP Local File Inclusion.<p>This issue affects smart SEO: from n/a through <= 2.9.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes smart SEO smartSEO allows PHP Local File Inclusion.This issue affects smart SEO: from n/a through <= 2.9."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:15:08.638Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Theme/smartSEO/vulnerability/wordpress-smart-seo-theme-2-9-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress smart SEO theme <= 2.9 - Local File Inclusion vulnerability"}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28117", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-05T15:31:04.663763Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-05T15:30:31.841Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes smart SEO smartSEO allows PHP Local File Inclusion.This issue affects smart SEO: from n/a through <= 2.9."}, {"lang": "es", "value": "Control inadecuado del nombre de fichero para la declaraci\u00f3n include/require en el programa PHP (vulnerabilidad de 'Inclusi\u00f3n Remota de Ficheros de PHP') en axiomthemes smart SEO smartSEO permite la inclusi\u00f3n local de ficheros de PHP. Este problema afecta a smart SEO: desde n/a hasta &lt;= 2.9."}], "id": "CVE-2026-28117", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-05T06:16:46.220", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Theme/smartSEO/vulnerability/wordpress-smart-seo-theme-2-9-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.9]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "smart SEO", "source": "cna", "vendor": "axiomthemes"}, "product": "smart_seo", "vendor": "axiomthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T04:47:33.563983+00:00", "value": {"mitigation_remediation": ["Update SmartSEO to the latest version available from Axiomthemes; versions above 2.9 reportedly remove the LFI vector.", "If an update is not immediately possible, sanitize user-supplied include parameters by validating them against an allow\u2011list of known safe paths or by removing directory traversal characters such as \"..\" or slashes from the input before it is passed to include/require.", "Configure the web server or PHP runtime to restrict file include paths (e.g., adjust the include_path directive) so that only the intended theme directory can be referenced, thereby blocking arbitrary file access."], "summary": {"action": "Apply Patch", "impact": "Local File Inclusion enabling potential remote code execution"}, "threat_synthesis": {"affected_systems": "The SmartSEO WordPress theme provided by Axiomthemes is affected in all releases up to and including version 2.9. No affected versions beyond 2.9 are listed, indicating that updates later than 2.9 may have mitigated this flaw.", "description_and_impact": "The vulnerability in Axiomthemes SmartSEO theme arises from improper control of the filename used in PHP include/require calls. This flaw allows an attacker to force the theme to load arbitrary files from the server, potentially revealing sensitive configuration files or, when combined with additional exploitation techniques, executing malicious code on the host. While the described issue is a local file inclusion (LFI), the nature of the include statement means that an attacker who can influence the target parameter may gain unintended access to files that are otherwise protected, compromising confidentiality and integrity of the system.", "risk_and_exploitability": "The CVSS score of 8.1 classifies this flaw as high severity. The EPSS score of less than 1% suggests that exploitation is currently rare, and the vulnerability is not listed in CISA\u2019s KEV catalog. However, the likely attack vector is a crafted HTTP request that supplies an uncontrolled file path to the theme\u2019s inclusion logic. If an attacker can manipulate this path, they may read arbitrary files or trigger malicious code execution. Consequently, while the immediate risk may be low due to low exploitation probability, the potential impact remains significant."}}}}, "created": "2026-03-06T15:08:23.944279+00:00", "updated": "2026-04-16T05:00:09.660859+00:00", "vendors": ["axiomthemes", "axiomthemes$PRODUCT$smart_seo", "wordpress", "wordpress$PRODUCT$wordpress"]}