CVE-2026-28022

High

Published: 05 March 2026

Published

05 March 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 37.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Foodie foodie allows PHP Local File Inclusion.This issue affects Foodie: from n/a through <= 1.14.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates PHP Local File Inclusion by validating and sanitizing user-supplied filenames used in include/require statements to prevent access to unauthorized local files.

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation through patching the vulnerable ThemeREX Foodie WordPress theme versions up to 1.14 to eliminate the improper filename control issue.

CM-6 Configuration Settings partial match

prevent

Enforces secure PHP configuration settings like open_basedir restrictions and disabling dangerous functions to limit the scope of local file inclusion attacks.

Security SummaryAI

CVE-2026-28022 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, referred to as PHP Remote File Inclusion but enabling PHP Local File Inclusion, affecting the ThemeREX Foodie WordPress theme. This issue impacts versions from n/a through 1.14, as documented under CWE-98. The vulnerability was published on 2026-03-05 and carries a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

An unauthenticated remote attacker can exploit this vulnerability over the network with high attack complexity and no user interaction required. Successful exploitation allows high impacts on confidentiality, integrity, and availability, potentially enabling local file inclusion to access or manipulate sensitive server files.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/foodie/vulnerability/wordpress-foodie-theme-1-14-local-file-inclusion-vulnerability?_s_id=cve provides details on the Local File Inclusion vulnerability specific to the Foodie WordPress theme version 1.14.

Details

CWE(s): CWE-98

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-28022 is a Local File Inclusion (LFI) vulnerability in a public-facing WordPress theme, directly enabling exploitation of a public-facing application (T1190) for arbitrary local file reads with high confidentiality impact.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/foodie/vulnerability/wordpress-foodie-theme-1-14-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com