CVE-2026-28039

High

Published: 05 March 2026

Published

05 March 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0012 31.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28039 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

LFI vulnerability in public-facing WordPress plugin directly enables exploitation of T1190; successful abuse leads to arbitrary PHP execution (T1059.004 Unix Shell) and common web shell deployment (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpDataTables wpDataTables wpdatatables allows PHP Local File Inclusion.This issue affects wpDataTables: from n/a through <= 6.5.0.1.

Deeper analysisAI

CVE-2026-28039 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, described as PHP Remote File Inclusion but enabling PHP Local File Inclusion (CWE-98), in the wpDataTables WordPress plugin. This issue affects wpDataTables versions from n/a through 6.5.0.1. The vulnerability was published on 2026-03-05 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote, unauthenticated attacker can exploit this vulnerability over the network with high attack complexity, requiring user interaction such as clicking a malicious link or input. Successful exploitation allows high-impact consequences to confidentiality, integrity, and availability, potentially enabling attackers to include and execute arbitrary local PHP files, leading to sensitive data disclosure or remote code execution on the targeted WordPress site.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/wpdatatables/vulnerability/wordpress-wpdatatables-plugin-6-4-0-5-local-file-inclusion-vulnerability?_s_id=cve.

Details

CWE(s): CWE-98

CVEs Like This One

CVE-2025-58214Shared CWE-98

CVE-2025-54701Shared CWE-98

CVE-2025-7327Shared CWE-98

CVE-2025-26909Shared CWE-98

CVE-2026-27894Shared CWE-98

CVE-2024-51319Shared CWE-98

CVE-2025-49436Shared CWE-98

CVE-2025-69078Shared CWE-98

CVE-2026-27383Shared CWE-98

CVE-2026-24538Shared CWE-98

References

https://patchstack.com/database/Wordpress/Plugin/wpdatatables/vulnerability/wordpress-wpdatatables-plugin-6-4-0-5-local-file-inclusion-vulnerability?_s_id=cve
audit@patchstack.com