This vulnerability arises from improper validation of filename parameters in a PHP include/require statement within the Themify Event Post plugin. The flaw permits the inclusion of any local file on the web server, which can expose sensitive configuration files or, if a PHP file is included, execute arbitrary code. The weakness corresponds to CWE‑98 and is classified as a local file inclusion that could lead to remote code execution if exploited.

WordPress installations that use the Themify Event Post plugin version 1.3.2 or older are affected. The vulnerability applies to all affected plugin instances regardless of site role or configuration, meaning any user capable of influencing plugin input could trigger the flaw.

The CVSS score of 7.5 indicates a medium to high severity. While the EPSS score of <1% shows a very low probability of exploitation at present, the flaw is not listed in the CISA KEV catalog. The likely attack vector involves external requests to the plugin that manipulate the filename parameter; a remote attacker could supply a path that points to sensitive files or to PHP scripts for code execution. Due to the nature of local file inclusion, impact can range from information disclosure to full server compromise, making timely remediation a priority.