Improper validation of filenames used in PHP include/require statements allows an attacker to trigger a local file inclusion (LFI) flaw within the Algenix WordPress theme. When an input path is accepted without sanitization, arbitrary files on the server can be read or, if the files contain executable code, potentially executed in the context of the web application. The vulnerability falls under CWE-98 and can lead to sensitive file disclosure, configuration leakage, or remote code execution, compromising the confidentiality, integrity, and availability of the affected site.

Axiomthemes Algenix WordPress theme is affected for all releases from the first available version through version 1.0 inclusive. No newer releases are listed, so any instance running Algenix 1.0 or earlier is vulnerable.

The issue carries a high CVSS score of 8.1, indicating significant risk. The EPSS score is below 1%, suggesting that, although the technical severity is high, the likelihood of exploitation in the near term is low, and the vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the likely attack vector involves a crafted request that causes the theme to include a file path supplied by the user, which would be feasible from a remote source if the theme is exposed to public input. Successful exploitation would allow a threat actor to read sensitive files or execute code on the server.