This vulnerability is due to an improper control of filename in PHP’s include/require logic, allowing a local file inclusion attack. An attacker can cause the application to open and read files on the server, or potentially execute arbitrary code if the attacker can craft input to include a PHP file. The flaw could expose sensitive configuration files, credentials, or other private data, and may enable further exploitation such as remote code execution when combined with other weaknesses.

The WordPress Hygia theme by Axiom Themes version 1.16 and earlier is affected. Any installation of this theme that has not been upgraded beyond 1.16 is vulnerable.

The CVSS score of 8.1 indicates high severity, while the EPSS score of <1% suggests a low to very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but the potential impact remains significant. The precise attack vector is not explicitly detailed in the available information; however, the flaw involves the theme’s file inclusion logic, implying that an attacker could trigger it through crafted request parameters or configuration settings that control the include path. Security teams should consider that, once an attacker gains the ability to influence the include path, they may read sensitive files or inject malicious scripts. The limited exploit probability does not diminish the need for timely remediation.