A flaw in the Creatives_Planet Leblix theme allows an attacker to influence the file path included by a PHP include/require statement. This improper control of filename flaw (CWE‑98) can enable local file inclusion, potentially giving an attacker read access to sensitive configuration or application files and possibly a pathway to execute arbitrary code if further exploited. The vulnerability is limited to the PHP code within the theme and does not grant arbitrary command execution directly. The impact is significant because compromised files may expose credentials, database connections, or other privileged data.

WordPress installations that use the Leblix theme, version 2.4 or earlier, are affected. The issue is reported to impact all builds from the earliest release of the theme through 2.4. All WordPress sites hosting this theme without an updated version are therefore vulnerable.

The CVSS score for this vulnerability is 8.1, indicating a high severity that could result in data disclosure or system compromise. The EPSS score is reported as less than 1%, suggesting that current exploitation attempts are rare or unsuccessful; the vulnerability is also not listed in the CISA KEV catalog. Likely the exploitation path involves sending a crafted request that manipulates the theme’s inclusion logic—though the exact attack vector is not described in the advisory, it is inferred that a malicious user could cause the theme to include an attacker‑controlled file path and read sensitive content.