The IPharm WordPress theme contains a flaw where an attacker can manipulate the filename used in a PHP include/require statement. This improper control of the filename means that any local file on the server can be read if its path is supplied. The vulnerability is classified as a Local File Inclusion (LFI) and is mapped to CWE‑98. It lets an attacker disclose sensitive content stored on the server, such as configuration files, user data, or other files that are not intended to be publicly accessible.

WordPress installations that employ the Axiom Themes IPharm theme version 1.2.3 or earlier are affected. No other vendors or products are listed as impacted. The issue applies to all affected sites using these versions of the theme, regardless of other plugins or WordPress core versions.

The CVSS score of 8.1 indicates high severity. The EPSS score is <1 %, suggesting a low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. Exploitation typically requires that the theme’s code include a user‑controllable filename parameter through a publicly reachable endpoint. If such a parameter is present, an attacker can supply a path pointing to any local file, resulting in reading of that file. The impact is primarily confidentiality breach through sensitive file disclosure. Although LFI can lead to code execution if PHP files are read, this is not confirmed by the CVE description and depends on specific server configuration.