CVE-2026-28107
Published: 05 March 2026
Summary
CVE-2026-28107 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-28107 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as a PHP Remote File Inclusion issue that enables PHP Local File Inclusion, affecting the ThemeREX Muzicon WordPress theme in versions from n/a through 1.9.0. Published on 2026-03-05, it is associated with CWE-98 and carries a CVSS 3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated remote attackers can exploit this vulnerability over the network without user interaction, though exploitation requires high attack complexity. Successful attacks can result in high impacts to confidentiality, integrity, and availability, potentially allowing attackers to include and execute local PHP files on the server.
Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Theme/muzicon/vulnerability/wordpress-muzicon-theme-1-9-0-local-file-inclusion-vulnerability?_s_id=cve.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9761
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Muzicon muzicon allows PHP Local File Inclusion.This issue affects Muzicon: from n/a through <= 1.9.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a Local File Inclusion (LFI) in a public-facing WordPress theme, directly exploitable over the network without authentication, enabling exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by identifying, reporting, and applying patches to the vulnerable ThemeREX Muzicon WordPress theme versions through 1.9.0.
Prevents exploitation of the PHP Local File Inclusion vulnerability by validating and sanitizing user-supplied filenames used in include/require statements.
Mitigates risk through secure PHP configuration settings such as disabling allow_url_include and enforcing open_basedir restrictions to limit arbitrary file access.