This vulnerability stems from improper validation of filenames in PHP include/require statements within the Kinsley theme, leading to a Local File Inclusion flaw (CWE-98). An attacker who can influence the file path may read sensitive server files or include malicious content, potentially resulting in privilege escalation or remote code execution, depending on the server configuration and file permissions. The impact thus encompasses confidentiality, integrity, and availability risks for the affected WordPress installation.

The affected product is the Kinsley theme by bslthemes, versions up to and including 3.4.4 are susceptible. No specific sub‑versions are listed, so all releases prior to 3.4.5 must be considered vulnerable until a patch is applied.

The severity of the issue is reflected in a CVSS score of 8.1, indicating a high‑risk condition. The EPSS score of less than 1% indicates a low likelihood of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via the theme's include functionality, inferred from the PHP code that accepts external path inputs without adequate sanitization. Successful exploitation would require the attacker to supply a crafted file path, which is feasible if the theme exposes an endpoint or form that influences the include parameter.