The Lunna WordPress theme exposes an improper control of filenames in PHP include statements, enabling attackers to retrieve arbitrary files from the target server. The vulnerability, classified as CWE-98, can result in information disclosure and, if an attacker can trigger the inclusion of PHP code, potentially lead to remote code execution. The issue is limited to the Lunna theme and affects all installations using version 1.15 or earlier.

WordPress sites running the Lunna theme from any unknown version through 1.15 are impacted. The vulnerability exists on servers where the theme is active; any user‑controlled file path used by the theme can be exploited.

The CVSS base score of 8.1 indicates a high severity flaw, yet the EPSS score is below 1% and the vulnerability is not currently listed in KEV, suggesting low immediate exploitation likelihood. The attack vector is likely local file inclusion triggered by a crafted URL or form submission within the WordPress site. The vulnerability can be leveraged by an attacker who can influence the include path, potentially reading sensitive files or injecting executable PHP code if user data can be coerced into the path. Security teams should treat this as a high‑risk issue, particularly for sites lacking proper input validation and file‑system privilege restrictions.