CVE-2026-28049 - Vulnerability Details

- WordPress Police Department theme <= 2.17 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Police Department police-department allows PHP Local File Inclusion.This issue affects Police Department: from n/a through <= 2.17.

Published: 2026-03-05

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Police Department theme for WordPress allows an attacker to include local files through an unsanitized filename parameter in a PHP include/require call. This flaw, classified as CWE‑98, can enable the execution of arbitrary code or disclosure of sensitive files on the server. The vulnerability is contained within the theme code and does not rely on external network components, but it can be triggered via standard web requests, potentially giving attackers full control over the affected site if they can supply a writable file path that is interpreted as PHP.

Affected Systems

ThemeREX "Police Department" theme for WordPress is affected from the earliest released version up through version 2.17. Any site using an impacted version of this theme, regardless of operating system or server configuration, is at risk.

Risk and Exploitability

With a CVSS score of 8.1 the flaw is considered high severity. The EPSS score is below 1 %, indicating that, at present, exploit attempts are rare, and the vulnerability has not been observed in the wild to be included in CISA’s Known Exploited Vulnerabilities catalog. The most likely attack vector is a crafted HTTP request that supplies a malicious filename parameter, inferring that the application blindly trusts input when deciding which file to include. Because the flaw can lead to code execution, it represents a significant risk if an attacker can influence the include path.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ThemeREX

Police Department

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.17

No data.

Vendor Product Confidence Versions

Themerex

Police Department

100%

Version	Status	Scheme	Platform
`[0,2.17]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Police Department theme to version 2.18 or later, restoring input validation for include paths.
If an upgrade is not immediately possible, permanently discontinue the theme by switching to a different WordPress theme and removing the Police Department files from the server to eliminate the vulnerable code path.
As a temporary measure, restrict the PHP include/require callbacks to a controlled directory and remove the ability for users to provide arbitrary filenames to the theme’s include functions.

Generated by OpenCVE AI on April 16, 2026 at 04:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00165.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/police-department/vulnerability/wordpress-police-department-theme-2-17-local-file-inclusion-vulnerability?_s_id=cve

History

Fri, 06 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Themerex Themerex police Department Wordpress Wordpress wordpress
Vendors & Products		Themerex Themerex police Department Wordpress Wordpress wordpress

Thu, 05 Mar 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 05 Mar 2026 06:15:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Police Department police-department allows PHP Local File Inclusion.This issue affects Police Department: from n/a through <= 2.17.
Title		WordPress Police Department theme <= 2.17 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://patchstack.com/database/Wordpress/Theme/police-department/vulnerability/wordpress-police-department-theme-2-17-local-file-inclusion-vulnerability?_s_id=cve

Subscriptions

Themerex Police Department

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-05T05:54:16.390Z

Updated: 2026-04-01T14:15:31.961Z

Reserved: 2026-02-25T12:13:30.134Z

Link: CVE-2026-28049

Vulnrichment

Updated: 2026-03-05T21:21:03.376Z

NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:38.013

Modified: 2026-03-05T22:16:13.563

Link: CVE-2026-28049

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T05:00:09Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object