This vulnerability arises from improper control of the filename used in an include/require statement within the Rare Radio WordPress theme. Because the theme does not validate or sanitize the file path supplied to the include call, an attacker can induce the server to read arbitrary files and potentially execute code. The flaw, classified as CWE‑98, permits local file inclusion, which can expose sensitive data, alter content, or be escalated to remote code execution, thereby compromising confidentiality, integrity, and availability of the affected site.

AncoraThemes Rare Radio versions from the first release through 1.0.15.1 are affected. No specific vendor fixes or patches are listed in the advisory, and the vulnerability applies to all installations of the theme within that version range.

With a CVSS score of 8.1 the exploitation risk is significant, yet the EPSS score is below 1 %, indicating a low probability of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog. An attacker would need web application access that allows manipulation of the include parameter, so the attack vector is web‑based. Once a path is specified, the server will include the local file, creating a window for attacker‑controlled code to run.