The flaw stems from the improper handling of filenames supplied to PHP's include/require statements within the Zegen theme. When a malicious user supplies a crafted filename through a web request, the theme interprets it as a local file path, enabling inclusion of arbitrary files residing on the server. This primarily permits accidental or intentional disclosure of internal files such as configuration files or credential data. While the vulnerability does not enable direct code execution, the exposed information could serve as a foothold for further attacks.

The affected product is the WordPress theme Zegen, bundled with the vendor zozothemes. All releases from the initial build up to version 1.1.9 contain the flaw. Version 1.1.10 or later presumably contains the fix, although vendors may release security updates outside the standard versioning.

The CVSS score of 7.5 classifies this issue as high severity, while the EPSS score of less than 1 % indicates a low probability of active exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through a web‑accessible endpoint that accepts a filename parameter; an attacker can manipulate this value to reference arbitrary local files, triggering the server to deliver the file contents. No special system privileges are required beyond access to the vulnerable endpoint.