The Pearl theme contains an improper control of the filename supplied to the PHP include/require statement. An attacker can supply an arbitrary path, causing the theme to read or execute arbitrary files on the server. This flaw, identified as CWE‑98, can lead to disclosure of sensitive configuration files or, if the attacker can supply a file containing executable code, remote code execution. The vulnerability exists exactly in the way the theme implements filename handling, which bypasses built‑in PHP safeguards.

The vulnerability impacts the StylemixThemes Pearl – Corporate Business WordPress theme. All releases of the theme older than version 3.4.8 are affected; versions 3.4.8 and newer are not vulnerable.

With a CVSS score of 8.1, the flaw is considered high severity. The EPSS score is reported as less than 1%, implying a low probability of active exploitation today, and the flaw is not listed in CISA's KEV catalog. The most likely attack vector is remote, as the include path can normally be controlled through a URL parameter or a form field within the theme. Successful exploitation would give the attacker read access to any file readable by the web server, and potentially the ability to execute code if the attacker can force the inclusion of a file containing malicious payloads.