The Grace Mag WordPress theme implements an include/require statement that accepts a filename parameter without adequate validation, allowing local file inclusion. This flaw permits an attacker who can supply a crafted file path to read arbitrary files on the server or execute PHP code present in those files, thereby threatening confidentiality, integrity, or availability of the site. The description does not specify how the parameter is injected; it is inferred that an attacker could deliver the payload through a URL or form field that is passed to the vulnerable include statement.

The vulnerability exists in the Grace Mag theme distributed by Everest Themes, affecting every release up to and including version 1.1.5. All WordPress sites that have this theme installed and activated are potentially impacted.

The CVSS base score of 7.5 denotes high severity, and the EPSS score of <1% indicates a low yet non‑zero probability of exploitation at the time of this assessment. The vulnerability is not listed in CISA’s KEV catalog, and no public exploit references are present in the supplied data. The expected attack vector appears to be a publicly reachable LFI path that an adversary could construct via URL parameters or form inputs to point the PHP include statement to local files.