The vulnerability stems from the EduMall theme's handling of user-supplied filenames in include/require statements. The lack of proper validation allows an attacker to craft requests that force the application to include arbitrary files from the server's filesystem, leading to a Local File Inclusion flaw. This weakness, categorized as CWE‑98, can enable readers to access sensitive configuration files or execute attacker-supplied code if the included file contains PHP, thereby risking both confidentiality and integrity of the site's data.

Any installation of the ThemeMove EduMall WordPress theme version earlier than 4.4.5 is affected. This includes all variants of the theme distributed through WordPress, regardless of WordPress core version or additional plugins, since the flaw resides within the theme itself. Users who have not yet upgraded beyond 4.4.5 remain vulnerable.

The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1% suggests that automated exploitation is unlikely at present. The flaw is not listed in CISA's KEV catalog. Exploitation would typically require an attacker to manipulate a URL or form parameter that feeds into the include path, which is usually limited to authenticated users who can alter theme settings or visit specific theme pages. The missing input validation could allow attackers to read arbitrary files or, if capable, inject malicious PHP code for remote code execution.