The Medizin WordPress theme contains a flaw where user‑controlled input is used unchecked in a PHP include/require statement, allowing a local file to be read or executed. This can lead to execution of arbitrary PHP code or disclosure of sensitive files stored on the web server. The primary risk is that an attacker may gain the ability to run malicious scripts or access configuration files, thereby compromising the confidentiality, integrity, or availability of the site.

ThemeMove’s Medizin theme for WordPress is vulnerable in all versions prior to 1.9.7. The flaw affects installations where the theme is active, regardless of WordPress core version or other plugins. The CPA list identifies the theme on any WordPress deployment.

With a CVSS score of 8.1 the vulnerability is classified as high severity, and its EPSS score of less than 1% implies a very low current exploitation probability. However, the issue is not listed in CISA’s KEV catalog, meaning there is no indication of broad exploitation yet. The likely attack vector is a crafted request to the site that passes a file path to the vulnerable include, assuming the attacker can influence the input. If successful, the attacker could execute arbitrary code or read files, potentially leading to full site compromise.