The SNS Vicky WordPress theme exposes an improper control of filename for include/require statements, creating a Local File Inclusion (LFI) flaw. An attacker can provide an arbitrary file path that the theme processes, potentially allowing access to sensitive files or, if a PHP file they control is included, the execution of malicious code. This weakness is categorized as CWE‑98 and has a CVSS score of 8.1, indicating high severity. Based on the description, it is inferred that an attacker might be able to include arbitrary files if the theme accepts user‑controlled input without proper validation.

The vulnerability affects the SNS Vicky theme distributed by snstheme, impacting all releases from the initial version through version 3.7 inclusive. Users using any of these versions on a WordPress installation must verify whether they are running a version newer than 3.7 or consider removing the theme.

The EPSS score of less than 1% indicates a low probability of exploitation at this time, though the CVSS score of 8.1 reflects a high potential impact. The theme does not require elevated privileges; an attacker who can influence parameters sent to it—typically through crafted URLs or form submissions—can trigger the LFI. If a PHP file that contains executable code resides on the server and can be referenced by the attacker, execution of that code could follow. The vulnerability is not listed in the CISA KEV catalog, but its high severity and the necessity of a public fix warrant timely remediation.