The OchaHouse theme contains an improper control of filename for include/require in its PHP code, enabling local file inclusion. This flaw may allow an attacker to read arbitrary local files or to execute arbitrary PHP code if a writable directory contains a file that the attacker can trigger. The weakness is identified as CWE-98. The impact can include leakage of sensitive configuration data or full server compromise if an attacker succeeds.

The vulnerability affects the jwsthemes OchaHouse theme for WordPress, versions up to and including 2.2.8. Users running any OchaHouse installation with a version not newer than 2.2.8 are potentially exposed.

The CVSS score of 8.1 indicates high severity. The EPSS score of less than 1% suggests that the probability of exploitation observed in the field is currently very low, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the potential for remote code execution or information disclosure warrants prompt action. An attacker could exploit the flaw by supplying a crafted request that directs the theme to include a local path; the exact vector is not specified in the advisory, so the likely vector is through user-supplied parameters that influence the include path, which is inferred from the nature of the vulnerability.