CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2026-28043

CVSS 9.8v3.1pub. 2026-03-05upd. 2026-04-22

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Healer - Doctor, Clinic & Medical WordPress Theme healer allows PHP Local File Inclusion.This issue affects Healer - Doctor, Clinic & Medical WordPress Theme: from n/a through <= 1.0.0.

🤖 AI Analysis
How it works

The vulnerability results from improper validation of the filename passed to include/require instructions in the theme's PHP code (CWE-98). An attacker can provide crafted input that manipulates the path of the included file, forcing the server to load any local file. This can lead to reading sensitive system files or executing malicious code if the attacker has previously gained the ability to place a file on the server.

Impact

An attacker can read sensitive files from the server (e.g., database configuration, credentials) and potentially execute remote code, leading to complete system takeover — compromising confidentiality, integrity, and availability.

Mitigation & patch

Apply patches available from the vendor according to the references. Until the update is applied, it is recommended to deactivate the theme or restrict access to the website. Detailed information is available in the Patchstack database.

Who is affected

WordPress theme 'Healer - Doctor, Clinic & Medical WordPress Theme' by ThemeREX, versions from n/a to 1.0.0 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References