This vulnerability is an Improper Control of Filename for Include/Require Statement in PHP that permits Local File Inclusion (CWE‑98). The BlogMarks theme processes user input that is passed directly to an include/require call, allowing an attacker to read arbitrary files on the server or, if a malicious file can be placed on the server, execute PHP code. The flaw can lead to disclosure of confidential data, alteration of site content, and potential destabilization of site availability. The CVSS score of 8.1 reflects the high risk posed by this vulnerability.

The BlogMarks theme for WordPress, supplied by wpinterface, is affected. All releases from the initial launch through and including version 1.0.8 are vulnerable. Administrators should verify that their site is running blogmarks 1.0.9 or a newer release before proceeding.

The EPSS score of less than 1 % indicates that exploitation is presently unlikely, and the vulnerability is not listed in the CISA KEV catalog. The primary attack vector is Local File Inclusion, typically triggered by a crafted request that supplies a user‑controlled file path to the include/require statement. Exploitation requires the ability to affect the path or to have already placed a malicious file on the server; otherwise the impact is limited to unauthorized file disclosure. The high CVSS score signals that, if exploited, the vulnerability could compromise confidentiality, integrity, and availability of the affected WordPress site.