The vulnerability originates from a failure to properly validate and control filenames used in PHP include/require statements within the Soleil WordPress theme. An attacker who can influence the filename argument can supply arbitrary paths, enabling the inclusion of local files. If the included file contains malicious PHP code, the attacker may execute code on the server, potentially exposing sensitive configuration files or fully compromising the WordPress site. This flaw can be exploited directly in the context of the theme’s normal operation, yielding a high potential impact on confidentiality, integrity, and availability.

Any WordPress installation that uses the AxiomThemes Soleil theme version 1.17 or earlier is affected. The vulnerability is present in all releases of the theme up to and including 1.17, regardless of other plugins or themes installed.

The severity is high with a CVSS score of 8.1, indicating a serious risk if exploited. The EPSS score of less than 1 % suggests that, at this time, exploitation is uncommon and the vulnerability is not yet widely used. The issue is not listed in CISA’s KEV catalog, further indicating a low current threat level. The attack vector is likely local or via a crafted request that triggers the theme’s file–include logic, requiring the attacker to control the filename parameter. While the potential impact is significant, the limited exploit probability moderates the overall risk profile.