The Gardis WordPress theme contains an improper control of the filename used in an include/require statement, creating a Local File Inclusion flaw that can allow an attacker to read arbitrary files within the site’s filesystem. This weakness, classified as CWE‑98, may enable disclosure of sensitive configuration data and, in some scenarios, the execution of arbitrary code. The CVSS score of 8.1 signals a high severity impact, while the EPSS value of less than 1% indicates that, as of now, the probability of exploitation remains low.

The vulnerability affects the AncoraThemes Gardis theme for WordPress, specifically all releases from the earliest available version up to and including 1.2.13. No specific minimum version is listed, so every deployed version of Gardis older than 1.2.14 is at risk.

Since the flaw arises from the way Gardis processes include paths, the likely attack vector is a remote request to a WordPress page that invokes the vulnerable include logic, with the attacker controlling the filename parameter. The attacker would need network access to the WordPress instance and the ability to overwrite or influence the path used in the include/require call; if the attack succeeds, they could read files such as wp-config.php or, if the include is executed in a writable context, upload and execute malicious PHP code. Because the EPSS is currently below 1% and the issue is not listed in KEV, it is not yet widely exploited, but the high CVSS score warrants prompt action.