CVE-2026-28121 in Anderson Plugin
Summary
by MITRE • 03/05/2026
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Anderson andersonclinic allows PHP Local File Inclusion.This issue affects Anderson: from n/a through <= 1.4.2.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/07/2026
The CVE-2026-28121 vulnerability represents a critical PHP Remote File Inclusion flaw that exists within the AncoraThemes Anderson andersonclinic WordPress theme. This vulnerability stems from improper validation of filename parameters in include/require statements, creating a pathway for attackers to execute arbitrary code on affected systems. The flaw specifically impacts versions of the Anderson theme ranging from the initial release through version 1.4.2, making a substantial portion of installations potentially vulnerable to exploitation.
The technical root cause of this vulnerability aligns with CWE-98, which describes improper control of filename for include or require statements. Attackers can manipulate the filename parameter in the include/require directives to load malicious files from remote servers or local system paths. This occurs when user-supplied input is directly incorporated into PHP include statements without proper sanitization or validation, allowing for arbitrary code execution. The vulnerability specifically enables PHP Local File Inclusion attacks, where attackers can leverage the flawed parameter handling to access and execute files on the target system.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with significant control over the affected WordPress installation. Successful exploitation could lead to complete system compromise, data theft, or the deployment of backdoors. The vulnerability affects the theme's functionality by allowing unauthorized access to include mechanisms, potentially enabling attackers to access sensitive files, execute malicious code, or escalate privileges within the WordPress environment. This presents a serious threat to website administrators and users who rely on the Anderson theme for their site functionality.
Mitigation strategies for CVE-2026-28121 should prioritize immediate patching of the affected Anderson theme versions to 1.4.3 or later, as this addresses the core parameter validation issues. Organizations should implement input validation measures to sanitize all user-supplied parameters before they are processed in include/require statements. Network-level protections such as web application firewalls can help detect and block exploitation attempts targeting this vulnerability. Additionally, implementing principle of least privilege for WordPress file permissions and regular security audits can help reduce the attack surface. The vulnerability also aligns with ATT&CK technique T1505.003 for PHP remote file inclusion, making it a target for attackers seeking to establish persistent access through web application exploitation.