CVE-2026-28121
Published: 05 March 2026
Summary
CVE-2026-28121 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-28121 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, commonly known as PHP Remote File Inclusion, within the Anderson WordPress theme (also referred to as andersonclinic) developed by AncoraThemes. This flaw enables PHP Local File Inclusion and affects all versions of the theme up to and including 1.4.2. The vulnerability is classified under CWE-98 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
Attackers can exploit this vulnerability remotely over the network without requiring user privileges or interaction, though it demands high attack complexity. Successful exploitation allows unauthenticated attackers to perform local file inclusion, potentially leading to arbitrary code execution, data disclosure, modification of system files, or denial of service on the targeted WordPress site running the vulnerable theme version.
The primary advisory is available from Patchstack at https://patchstack.com/database/Wordpress/Theme/andersonclinic/vulnerability/wordpress-anderson-theme-1-4-2-local-file-inclusion-vulnerability?_s_id=cve, which details the issue in the context of the WordPress Anderson theme version 1.4.2. Security practitioners should consult this reference for specific patch information or upgrade guidance to mitigate the vulnerability.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9773
Vulnerability details
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Anderson andersonclinic allows PHP Local File Inclusion.This issue affects Anderson: from n/a through <= 1.4.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-28121 is a remote file inclusion vulnerability in a public-facing WordPress theme, enabling unauthenticated attackers to include and execute arbitrary local files, directly facilitating T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely remediation through patching the vulnerable Anderson WordPress theme directly corrects the improper filename control in PHP include/require statements.
Validates user-supplied filenames prior to their use in PHP include/require operations to block malicious local file inclusion paths.
Restricts information inputs such as filenames to only authorized values, preventing exploitation of uncontrolled file inclusion in the theme.