The vulnerability arises from improper control of the filename used in include/require statements within the Kipso WordPress theme. This flaw permits a layer of the application to retrieve and execute a local file on the web server by manipulating user‑controlled input. The absence of strict validation or whitelisting of the file path can allow an attacker to read sensitive files or run arbitrary PHP code, resulting in loss of confidentiality and integrity. The weakness matches CWE‑98, which describes improper control of filename for include/require.

The Kipso theme by Gavias, a WordPress plugin, is affected. Versions from the initial release through 1.3.4 contain the flaw. Any installation that uses those versions without upgrading to 1.3.5 or later remains vulnerable.

The CVSS score of 8.1 indicates high severity, but the EPSS score of less than 1 % shows a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely local file inclusion triggered by a crafted HTTP request that supplies an arbitrary path to the theme’s inclusion logic. Exploitation requires that the web server has read access to the target file and that the attacker can control the parameter that specifies the path, which typically is available through a user‑level interface. Because the flaw is in a front‑end theme, the exploitation effort is non‑trivial but still feasible for a determined adversary.