The vulnerability arises from an improper control of the filename used in PHP include or require statements within the WordPress Lione theme. This flaw allows a malformed input to be interpreted as a local file path, potentially enabling an attacker to access sensitive files or even execute arbitrary PHP code. The impact is significant, providing a route for attackers to compromise confidentiality, integrity, and availability of the affected WordPress site. The weakness is classified as CWE-98, indicating a flaw in file inclusion controls.

All installations of the AxiomThemes Lione theme for WordPress with versions from the initial release up to and including version 1.16 are affected. Users deploying these theme versions on any WordPress site encounter the vulnerability.

The CVSS score of 8.1 places this flaw in the high severity range, while the EPSS score of less than 1% suggests a low but non‑zero probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through any user‑controllable input that feeds a filename into the theme’s inclusion logic, such as query parameters or form fields. Successful exploitation would require that the attacker be able to provide or influence the path used in the include or require statement.