CVE-2026-28069

High

Published: 05 March 2026

Published

05 March 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 37.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Le Truffe letruffe allows PHP Local File Inclusion.This issue affects Le Truffe: from n/a through <= 1.1.7.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly validates untrusted filename inputs used in PHP include/require statements to block local file inclusion exploits.

SI-2 Flaw Remediation good match

prevent

Remediates the specific flaw in the Le Truffe WordPress theme by identifying, patching, and deploying updates for affected versions up to 1.1.7.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on filename inputs at web application boundaries, such as whitelisting allowed paths to prevent traversal to sensitive local files.

Security SummaryAI

CVE-2026-28069 is an Improper Control of Filename for Include/Require Statement vulnerability, classified as PHP Remote File Inclusion (CWE-98), in the ThemeREX Le Truffe WordPress theme. The flaw enables PHP Local File Inclusion and affects all versions of Le Truffe from n/a through 1.1.7. It was published on 2026-03-05 with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote attackers can exploit this vulnerability over the network without authentication or user interaction, though it requires high attack complexity. Successful exploitation allows attackers to perform local file inclusion, potentially leading to high-impact compromise of confidentiality, integrity, and availability, such as unauthorized access to sensitive local files or further system compromise.

The Patchstack advisory documents this vulnerability in the Le Truffe WordPress theme version 1.1.7 and provides details on the local file inclusion issue at https://patchstack.com/database/Wordpress/Theme/letruffe/vulnerability/wordpress-le-truffe-theme-1-1-7-local-file-inclusion-vulnerability?_s_id=cve.

Details

CWE(s): CWE-98

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1083 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

attack.mitre.org →

Why these techniques?

The LFI vulnerability in the public-facing WordPress theme directly enables T1190 (Exploit Public-Facing Application) for initial access and facilitates T1083 (File and Directory Discovery) by allowing inclusion and potential disclosure of local files.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/letruffe/vulnerability/wordpress-le-truffe-theme-1-1-7-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com