Improper control of filenames for include/require statements in PHP allows Local File Inclusion, potentially leading to code execution, data leakage, or system compromise. The vulnerability is defined as PHP Remote File Inclusion and is listed under CWE-98. Users of the WordPress Spin theme up to version 1.8 are exposed because the theme does not validate user‑supplied paths before inclusion. The impact is limited to the context of the theme, but a successful LFI can provide an attacker with access to any file on the server hosting the site, including configuration files, source code, or other sensitive data.

WordPress sites that use the Spin theme 1.8 or earlier from Axiomthemes are affected. The vulnerability is present in all releases from the initial release through 1.8, including any custom builds that have not applied downstream updates.

The CVSS score is 8.1, indicating high severity. The EPSS score is not reported, so the current estimated exploitation probability is uncertain. It is not listed in CISA's KEV catalog. The likely attack vector is through untrusted user input that feeds the include/require path. Because the issue involves local file inclusion, an attacker who can generate a request that includes a manipulated parameter may be able to read or execute arbitrary files. No additional privileges are required beyond the web server's permissions, though higher privileges enable more damage. The vulnerability can be exploited trivially if the theme allows parameters that map directly to filesystem paths, making it a high risk to unpatched systems.