The FitFlex theme includes a flaw where user-supplied filenames are passed directly to PHP's include/require statements without proper validation. An attacker can exploit this to read arbitrary file contents from the local filesystem, including sensitive configuration files or credentials. The vulnerability is classified as a PHP Remote File Inclusion type but functions only locally, providing the attacker read‑only access to files on the server and potentially allowing further exploitation such as privilege escalation or data exfiltration. The weakness corresponds to CWE‑98, which indicates denials of proper validation of file names used in include operations.

The issue affects all installations of the axiomthemes FitFlex WordPress theme versions from the initial release up to and including 1.6. Sites using any of these versions are vulnerable; the problem is not present in newer releases of the theme beyond 1.6, according to the vendor’s versioning information.

The CVSS score of 8.1 places this flaw in the high‑severity range, and the EPSS score of less than 1% suggests that exploitation is unlikely but still possible. Because the vulnerability is local file inclusion, access to the target is required, typically via authenticated or unauthenticated web requests that trigger the include. No known exploits are listed in CISA KEV, but the risk persists if attackers can craft requests to the vulnerable theme’s code paths. Given the high impact and potential for data exposure, immediate mitigation is advised.