The vulnerability originates from an improper control of the filename passed to PHP's include/require statements within the Dessau theme for WordPress. An attacker able to influence the value of that filename can trigger a local file inclusion attack, allowing read access to arbitrary files on the web server. If the included file contains executable PHP code, it could also lead to remote code execution. The impact includes disclosure of sensitive system files and potential execution of malicious code, compromising confidentiality and integrity on the affected host.

All installations of the Select‑Themes Dessau WordPress theme earlier than version 1.9 are vulnerable. This includes every WordPress site that has the Dessau theme set to any version prior to 1.9, regardless of the WordPress core version. The issue affects the theme's PHP files that perform file inclusion without proper validation of user‑supplied paths.

The CVSS score of 7.5 reflects a high risk of successful exploitation if an attacker can manipulate the filename used in the include/require statement. The EPSS score of less than 1% indicates that exploitation in the wild is not widely reported, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local, triggered via a web request that supplies a crafted file path to the theme, possibly through a query parameter or form input. Given the severity, attackers with access to the site’s frontend or an authenticated user with the ability to send requests to the vulnerable functions could exploit this flaw.