CVE-2026-28121 - Vulnerability Details

- WordPress Anderson theme <= 1.4.2 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Anderson andersonclinic allows PHP Local File Inclusion.This issue affects Anderson: from n/a through <= 1.4.2.

Published: 2026-03-05

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Improper validation of the filename used in a PHP include/require statement in the AncoraThemes Anderson WordPress theme allows a Local File Inclusion vulnerability. The flaw can allow an attacker to read sensitive files on the server. Based on the description, it is inferred that an attacker could also upload or execute code through the theme mechanism, which may ultimately lead to full code execution through the web application. This weakness is classified as CWE‑98.

Affected Systems

WordPress sites using the Anderson theme from AncoraThemes, with any installed version up through and including 1.4.2. All earlier releases are also affected, as the vulnerability persists across the entire version range listed by the CNA.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity of exploit. The EPSS score of less than 1 percent reflects a low current exploitation probability, though the vulnerability is known and listed by reputable advisory sources. The vulnerability does not appear in the CISA KEV catalog, but its presence in public advisories and the high CVSS suggest it should be treated seriously. The likely attack vector is manipulation of request parameters or crafted URLs to provoke the theme to include untrusted files, exploiting the lack of path validation. Based on the nature of the vulnerability, it is inferred that successful exploitation could lead to data compromise or complete remote code execution on the affected WordPress installation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

AncoraThemes

Anderson

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.4.2

No data.

Vendor Product Confidence Versions

Ancorathemes

Anderson

95%

Version	Status	Scheme	Platform
`[0,1.4.2]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Anderson theme to the latest released version from AncoraThemes, removing all versions <=1.4.2 from your WordPress site.
If an upgrade is not immediately possible, modify the theme’s file‑include logic to enforce strict whitelisting of allowed paths or use a safe file‑include helper that validates filenames against a known list.
Configure web server and PHP settings to restrict filesystem access for the WordPress upload directory and theme directory, ensuring that only necessary files are readable by the application.

Generated by OpenCVE AI on April 15, 2026 at 22:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00165.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/andersonclinic/vulnerability/wordpress-anderson-theme-1-4-2-local-file-inclusion-vulnerability?_s_id=cve

History

Fri, 06 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ancorathemes Ancorathemes anderson Wordpress Wordpress wordpress
Vendors & Products		Ancorathemes Ancorathemes anderson Wordpress Wordpress wordpress

Thu, 05 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 05 Mar 2026 06:15:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Anderson andersonclinic allows PHP Local File Inclusion.This issue affects Anderson: from n/a through <= 1.4.2.
Title		WordPress Anderson theme <= 1.4.2 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://patchstack.com/database/Wordpress/Theme/andersonclinic/vulnerability/wordpress-anderson-theme-1-4-2-local-file-inclusion-vulnerability?_s_id=cve

Subscriptions

Ancorathemes Anderson

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-05T05:54:29.080Z

Updated: 2026-04-01T14:15:47.063Z

Reserved: 2026-02-25T12:14:07.579Z

Link: CVE-2026-28121

Vulnrichment

Updated: 2026-03-05T14:56:49.770Z

NVD

Status : Deferred

Published: 2026-03-05T06:16:46.747

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-28121

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T23:00:10Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object