CVE-2026-28107

High

Published: 05 March 2026

Published

05 March 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 37.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Muzicon muzicon allows PHP Local File Inclusion.This issue affects Muzicon: from n/a through <= 1.9.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by identifying, reporting, and applying patches to the vulnerable ThemeREX Muzicon WordPress theme versions through 1.9.0.

SI-10 Information Input Validation good match

prevent

Prevents exploitation of the PHP Local File Inclusion vulnerability by validating and sanitizing user-supplied filenames used in include/require statements.

CM-6 Configuration Settings partial match

prevent

Mitigates risk through secure PHP configuration settings such as disabling allow_url_include and enforcing open_basedir restrictions to limit arbitrary file access.

Security SummaryAI

CVE-2026-28107 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion issue that enables PHP Local File Inclusion, affecting the ThemeREX Muzicon WordPress theme in versions from n/a through 1.9.0. Published on 2026-03-05, it is associated with CWE-98 and carries a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction, though exploitation requires high attack complexity. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially allowing attackers to include and execute local PHP files on the server.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/muzicon/vulnerability/wordpress-muzicon-theme-1-9-0-local-file-inclusion-vulnerability?_s_id=cve.

Details

CWE(s): CWE-98

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a Local File Inclusion (LFI) in a public-facing WordPress theme, directly exploitable over the network without authentication, enabling exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://patchstack.com/database/Wordpress/Theme/muzicon/vulnerability/wordpress-muzicon-theme-1-9-0-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com