This vulnerability arises from improper control of filenames used in a PHP include/require statement in the dedalx Cook&Meal WordPress theme. An attacker can supply a crafted filename that the application will include, allowing arbitrary local files to be read or executed by the web server. The CVSS score of 8.1 reflects a high severity risk, indicating that successful exploitation could compromise confidentiality, integrity, and potentially availability of the affected WordPress site.

The Cook&Meal theme from dedalx is vulnerable in all releases up to and including version 1.2.3. Sites that still host this theme without upgrading are exposed. This includes any WordPress installation using Cook&Meal, regardless of the size or demographic of the site.

The EPSS score of less than 1% suggests a low but non‑zero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. According to the description, it is inferred that the attack vector requires an attacker to supply a filename parameter through a request to the theme’s PHP code; exploitation further depends on the presence of the target file within the web root or a known system directory. If the included file contains executable PHP, the impact expands to remote code execution. The CVE data does not reference any publicly known exploits, but the high CVSS score and potential for severe consequences warrant immediate attention.