CVE-2026-28045 in N7 Plugin
Summary
by MITRE • 03/05/2026
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX N7 | Golf Club Sports & Events n7-golf-club allows PHP Local File Inclusion.This issue affects N7 | Golf Club Sports & Events: from n/a through <= 2.16.0.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/07/2026
The vulnerability CVE-2026-28045 represents a critical PHP Remote File Inclusion flaw in the ThemeREX N7 | Golf Club Sports & Events WordPress theme, specifically impacting versions up to and including 2.16.0. This vulnerability stems from improper validation of filename parameters in include/require statements, creating a pathway for malicious actors to execute arbitrary code on affected systems. The flaw allows attackers to manipulate the include/require functionality to load and execute remote files, effectively bypassing local file access controls and potentially leading to complete system compromise.
This vulnerability maps directly to CWE-88, which describes improper control of filename for include/require statements, and aligns with ATT&CK technique T1190 for exploiting vulnerabilities in web applications. The technical implementation involves the theme's code failing to properly sanitize user input passed to PHP include/require functions, enabling attackers to inject malicious file paths. When the theme processes user-supplied parameters without adequate validation, it creates a condition where remote file inclusion becomes possible, allowing threat actors to execute arbitrary PHP code with the privileges of the web server.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with a persistent foothold for further exploitation. An attacker could leverage this vulnerability to upload backdoors, establish command and control channels, or escalate privileges within the compromised environment. The vulnerability affects not only the targeted WordPress theme but also potentially exposes the entire WordPress installation to additional attacks, as successful exploitation can lead to full system compromise. The remote nature of the vulnerability means that attackers do not require local access to the server, making it particularly dangerous for publicly accessible web applications.
Organizations affected by this vulnerability should immediately implement mitigations including updating to the latest version of the ThemeREX N7 | Golf Club Sports & Events theme where available, implementing proper input validation on all user-supplied parameters, and applying web application firewalls to monitor and block suspicious include/require requests. Additionally, administrators should conduct thorough security audits of all installed WordPress themes and plugins, disable unnecessary file inclusion capabilities, and implement proper access controls to limit the potential impact of such vulnerabilities. The vulnerability underscores the importance of input validation and proper parameter sanitization in preventing remote code execution attacks, particularly in web applications where user input is processed through include/require functions.