ThemeREX Chroma allows attackers to access sensitive files on your server

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.1

ThemeREX Chroma allows attackers to access sensitive files on your server

CVE-2026-28020

Summary

A security weakness in ThemeREX Chroma allows an attacker to access files on your server that they shouldn't be able to. This means sensitive information or even malicious code could be accessed. Update to a version of ThemeREX Chroma that fixes this issue to protect your site.

Original title

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Chroma chroma allows PHP Local File Inclusion.This issue affects Ch...

Original description

nvd CVSS3.1 8.1

Vulnerability type

CWE-98 Improper Control of Filename for Include

https://patchstack.com/database/Wordpress/Theme/chroma/vulnerability/wordpress-c...

Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026