The vulnerability arises from improper control of the filename used in a PHP include or require statement within the TinySalt theme. An attacker can manipulate the input that determines this filename, causing the theme to include arbitrary files located on the server. The flaw primarily allows reading of sensitive local files, such as configuration files or backups, which compromises confidentiality. Based on the description, it is inferred that if the included file contains executable PHP code, there exists a potential for remote code execution, though this is not explicitly stated in the advisory.

The affected product is the TinySalt theme for WordPress, distributed by LoftOcean. The issue applies to all released versions from an unspecified starting point up to, but not including, version 3.10.0.

The CVSS score of 8.1 indicates a high severity. The EPSS score is less than 1%, implying a very low probability of observed exploitation but not zero. The vulnerability is not listed in CISA's KEV catalog. The likely attack vector involves a crafted URL or form submission that supplies a malicious path to the theme’s include function, requiring only network access to the WordPress site, with no need for elevated privileges. When exploited, the attacker can read arbitrary local files and, as inferred from the LFI nature of the flaw, could potentially execute injected PHP code, leading to a full compromise of the host.