What is CVE-2026-28095?

A high-severity vulnerability has been identified in the ThemeREX Marcell theme for WordPress, which allows for local file inclusion attacks. Organizations using affected versions should prioritize patching to mitigate the risk of exploitation.

What is the severity of CVE-2026-28095?

CVE-2026-28095 has a severity rating of HIGH with a CVSS base score of 8.1.

CVE-2026-28095 | High Vulnerability in ThemeREX Marcell

The vulnerability identified as CVE-2026-28095 is categorized as a high-severity issue affecting the ThemeREX Marcell theme for WordPress. This vulnerability allows for improper control of filename for include/require statements, leading to potential local file inclusion.

The CVSS score of this vulnerability is 8.1, indicating a high risk to organizations using affected versions. The vulnerability can be exploited over the network with high complexity, requiring no user interaction.

Risk to organizations includes unauthorized access to sensitive files, which can compromise the integrity and availability of the application. The urgency for defenders is high, and organizations should prioritize patching immediately.

According to the latest intelligence, there are no known public exploits for this vulnerability, and it has not been added to the Known Exploited Vulnerabilities (KEV) catalog. However, organizations should remain vigilant and apply the necessary updates to mitigate potential risks.

Vulnerability Details

The CVE-2026-28095 vulnerability occurs due to improper control of filenames in the ThemeREX Marcell theme for WordPress, affecting versions up to 1.2.14. This vulnerability is classified under CWE-98 for improper control of filename for include/require statements.

The vulnerability allows attackers to exploit the PHP local file inclusion functionality, potentially leading to unauthorized access to sensitive files on the server. The attack vector is network-based, requiring no privileged access or user interaction.

Technical Analysis

The root cause of this vulnerability lies in the way the ThemeREX Marcell theme handles filenames for include statements. By not properly validating or sanitizing the input, attackers can manipulate the request to include arbitrary files from the server.

This vulnerability has a high attack complexity, as the attacker must have knowledge of the internal file structure of the application. However, once exploited, the impact can be severe, affecting confidentiality, integrity, and availability.

Risk & Impact Analysis

The potential impact of CVE-2026-28095 is significant, especially for organizations that rely on the ThemeREX Marcell theme for their WordPress sites. If exploited, attackers can gain unauthorized access to sensitive files, potentially leading to data breaches and loss of sensitive information.

Given the high CVSS score of 8.1, organizations should assess their risk exposure and take immediate action. The vulnerability's classification as high severity indicates that organizations should address this issue in their priority patch cycle.

Organizations using the affected versions of the Marcell theme must prioritize patching and remediation to avoid exploitation. The urgency is heightened by the potential for significant negative impact on organizational operations.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

This vulnerability affects all versions of the ThemeREX Marcell theme prior to version 1.2.14. Organizations using this theme should ensure they are running the latest version to mitigate the risk associated with this vulnerability.

Mitigation & Remediation

Organizations should implement the following actions to remediate this vulnerability:

1. Upgrade to the latest version of the ThemeREX Marcell theme as soon as possible.

2. Implement proper input validation and sanitization for any filename inputs in PHP applications.

For additional guidance on secure coding practices, organizations may refer to the Secure Coding Practices Guide.

Detection Guidance

To detect potential exploitation of this vulnerability, organizations should monitor:

1. Log files for unusual include or require statements.

2. Network traffic for suspicious requests that may indicate an attempt to exploit local file inclusion.

AppSecure Threat Intelligence Insight

The identification of CVE-2026-28095 highlights the ongoing risks associated with PHP applications and the importance of secure coding practices. As attackers increasingly target vulnerabilities in popular themes and plugins, organizations must remain proactive in their security measures.

For further insights on vulnerability management, organizations can review our article on Vulnerability Management Program Design and consider engaging in penetration testing services to assess their application security posture.

Organizations are encouraged to stay informed about emerging vulnerabilities and trends in the threat landscape to effectively protect their assets.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-28095: High Vulnerability in ThemeREX Marcell