CVE-2026-28120
Received Received - Intake
Local File Inclusion in ThemeREX Dr.Patterson

Publication date: 2026-03-05

Last updated on: 2026-03-05

Assigner: Patchstack

Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Dr.Patterson dr-patterson allows PHP Local File Inclusion.This issue affects Dr.Patterson: from n/a through <= 1.3.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-28120
EUVD
EUVD-2026-9772
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
themerex dr_patterson From 1.0 (inc) to 1.3.2 (inc)
themerex dr_patterson to 1.3.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-28120 is a Local File Inclusion (LFI) vulnerability found in the WordPress Dr.Patterson Theme versions up to and including 1.3.2. This vulnerability allows unauthenticated attackers to include and display local files from the target website.

By exploiting this flaw, attackers can potentially access sensitive information stored on the server, such as database credentials.

Impact Analysis

[{'type': 'paragraph', 'content': "Exploitation of this vulnerability could lead to exposure of sensitive data and potentially a complete database takeover depending on the website's configuration."}, {'type': 'paragraph', 'content': 'Because the vulnerability allows attackers to include local files without authentication, it poses a high risk to the confidentiality and integrity of the affected system.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'CVE-2026-28120 is a Local File Inclusion (LFI) vulnerability in the WordPress Dr.Patterson Theme up to version 1.3.2 that allows unauthenticated attackers to include and display local files from the target website.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can monitor web server logs for suspicious requests attempting to include local files via URL parameters, especially those targeting the Dr.Patterson theme.'}, {'type': 'paragraph', 'content': 'Common detection commands or methods include using tools like curl or wget to test for LFI by sending crafted requests that attempt to include sensitive files such as /etc/passwd or wp-config.php.'}, {'type': 'list_item', 'content': 'curl -v "http://yourwebsite.com/wp-content/themes/dr-patterson/somefile.php?file=../../../../etc/passwd"'}, {'type': 'list_item', 'content': "grep -i 'file=' /var/log/apache2/access.log | grep -E '\\.\\./|etc/passwd|wp-config.php'"}, {'type': 'paragraph', 'content': 'Additionally, web application firewalls (WAFs) with rules targeting this vulnerability can help detect and block exploitation attempts.'}] [1]

Mitigation Strategies

Since no official patch is currently available for the Dr.Patterson theme vulnerability CVE-2026-28120, immediate mitigation steps are critical.

  • Apply the mitigation rule issued by Patchstack to block attacks targeting this vulnerability until an official patch is released.
  • Restrict access to the vulnerable theme files by implementing proper file permissions and disabling direct access where possible.
  • Use a web application firewall (WAF) to detect and block malicious requests attempting Local File Inclusion.
  • Monitor your web server logs for suspicious activity related to file inclusion attempts.

Consider temporarily disabling or replacing the Dr.Patterson theme if feasible until a secure version is released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28120. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart