CVE-2026-28025
Published: 05 March 2026
Summary
CVE-2026-28025 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the LFI vulnerability in the Stargaze WordPress theme by identifying, patching, and verifying fixes for the improper filename control in PHP include/require.
Prevents exploitation of the PHP Remote/Local File Inclusion by validating filenames and paths supplied to include/require statements against safe patterns or whitelists.
Mitigates LFI risks through secure configuration of PHP settings like open_basedir restrictions and disabling allow_url_include to limit arbitrary file access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI vulnerability in public-facing WordPress theme enables remote exploitation of public-facing application (T1190) and facilitates collection of data from arbitrary local PHP files on the system (T1005).
NVD Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Stargaze stargaze allows PHP Local File Inclusion.This issue affects Stargaze: from n/a through <= 1.5.
Deeper analysisAI
CVE-2026-28025 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion issue that enables PHP Local File Inclusion, affecting the ThemeREX Stargaze WordPress theme. This flaw impacts all versions from n/a through 1.5 and is associated with CWE-98. Published on 2026-03-05, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility and significant impacts across confidentiality, integrity, and availability.
Unauthenticated remote attackers (PR:N) can exploit this vulnerability over the network (AV:N) without user interaction (UI:N), though it requires high attack complexity (AC:H) in an unchanged security scope (S:U). Successful exploitation allows attackers to achieve high-level impacts, including unauthorized access to local files via LFI, potentially leading to data disclosure, modification, or system disruption as reflected in the CVSS impact metrics.
The primary advisory from Patchstack details the Local File Inclusion vulnerability in the Stargaze WordPress theme version 1.5 and provides information on patches or mitigations, accessible at https://patchstack.com/database/Wordpress/Theme/stargaze/vulnerability/wordpress-stargaze-theme-1-5-local-file-inclusion-vulnerability?_s_id=cve. Security practitioners should consult this reference for specific remediation steps, such as updating to a patched version if available.
Details
- CWE(s)