The vulnerability is an improper control of the filename used in an include/require statement in the Anubis WordPress theme. This flaw allows an attacker to force the PHP engine to read or include arbitrary local files, which can lead to disclosure of sensitive files or enable further compromise. The weakness is classified as CWE‑98. Based on the description, it is inferred that the attacker may manipulate theme‑provided parameters or craft URLs to trigger the insecure include logic.

The issue affects the Anubis theme from Axiom Themes installed on WordPress sites, with vulnerable releases up to and including version 1.25. No other versions or products are identified as impacted in the current data.

The CVSS score of 8.1 reflects a high severity, and the EPSS score of less than 1% indicates a very low but non‑zero probability of exploitation in the wild at this time. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread known exploitation. Based on the description, it is inferred that likely attack vectors involve manipulating theme‑provided parameters or crafted URLs that trigger the insecure include/require. Successful exploitation requires the attacker to have some level of access to the server’s filesystem or to control the input used by the theme’s inclusion logic, allowing the attacker to read sensitive files such as configuration files.