What the vulnerability does
01Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes TopFit - Fitness and Gym WordPress Theme topfit allows PHP Local File Inclusion.This issue affects TopFit - Fitness and Gym WordPress Theme: from n/a through <= 1.9.
Explanation of Vulnerability in Simple Terms
02Summary
TopFit WordPress theme versions 1.9 and earlier contain a code injection vulnerability that allows unauthenticated attackers to run arbitrary PHP code on affected sites. The vulnerability requires high attack complexity but can compromise confidentiality, integrity, and availability. Site administrators should update to a version newer than 1.9 immediately.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the site without authentication.
Potential impact on your site
04Site Impact
Complete site compromise possible, including data theft, malware injection, and service disruption.
Conditions required to exploit
05Prerequisites
Network access to the site; no user authentication required, but exploitation requires specific conditions.
Key dates
06Disclosure timeline
March 5, 2026
CVE published
April 28, 2026
Record updated