CVE-2026-28097 in Artrium Plugin
Summary
by MITRE • 03/05/2026
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Artrium artrium allows PHP Local File Inclusion.This issue affects Artrium: from n/a through <= 1.0.14.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/07/2026
The CVE-2026-28097 vulnerability represents a critical PHP Remote File Inclusion flaw within the ThemeREX Artrium artrium theme, specifically impacting versions through 1.0.14. This vulnerability stems from improper control of filename parameters in include/require statements, creating a dangerous attack vector that allows remote attackers to execute arbitrary PHP code on affected systems. The flaw resides in how the application processes user-supplied input when constructing file inclusion paths, failing to properly validate or sanitize the filenames used in PHP's include or require functions. This type of vulnerability is classified under CWE-98 as Improper Control of Filename for Include/Require Statement, which directly enables Local File Inclusion (LFI) attacks. The vulnerability operates at the application layer and can be exploited through HTTP parameters that are passed to the theme's PHP scripts, making it particularly dangerous in web environments where user input is not adequately filtered.
The operational impact of this vulnerability extends far beyond simple data theft, as it provides attackers with the capability to execute malicious code on the target server with the privileges of the web application. An attacker can leverage this weakness to include malicious files from remote servers or local files on the target system, potentially leading to complete system compromise, data exfiltration, or the establishment of persistent backdoors. The vulnerability affects the core functionality of the Artrium theme by allowing unauthorized code execution during the theme's normal operation, particularly when processing user input through HTTP GET or POST parameters. This creates a persistent threat that can be exploited repeatedly, as long as the vulnerable version remains installed on the target system, and the attack can be performed without requiring authentication or elevated privileges. The vulnerability's exploitation aligns with ATT&CK technique T1190 for Exploit Public-Facing Application, making it a prime target for automated scanning and exploitation tools commonly found in cybercriminal toolkits.
Mitigation strategies for CVE-2026-28097 must address both immediate remediation and long-term security hardening measures. The most effective immediate solution involves updating the Artrium theme to a patched version that properly validates and sanitizes all user input before use in include/require statements. Organizations should implement proper input validation techniques that reject or escape special characters commonly used in path traversal attacks, such as double dots, forward slashes, and backslashes. Additionally, the application should employ a whitelist-based approach to file inclusion, allowing only predefined, trusted files to be included during execution. Security measures should include disabling remote file inclusion capabilities in PHP configuration, setting appropriate file permissions to prevent unauthorized access to sensitive files, and implementing proper logging mechanisms to detect suspicious file inclusion attempts. Organizations should also consider implementing Web Application Firewalls (WAFs) with rules specifically designed to detect and block patterns associated with LFI and RFI attacks, while following OWASP Top Ten security guidelines for PHP application development. The vulnerability demonstrates the critical importance of input validation and proper secure coding practices, particularly when dealing with dynamic file operations in web applications, and serves as a reminder of the necessity for regular security assessments and patch management procedures.