The vulnerability is an improper control of filenames in a PHP include/require statement that permits local file inclusion. An attacker could specify an arbitrary path in a request to the Pubzinne theme, causing the server to read files from the local filesystem. This can expose sensitive files such as configuration files or, if the file contains executable PHP, could lead to remote code execution. The weakness is the classic CWE-98 issue of specifying files without adequate validation.

The issue exists in the Pubzinne theme package from the initial release through version 1.0.12, sold under axiomthemes for WordPress installations. Any WordPress site that has this theme installed at or below that version is vulnerable.

The CVSS score is 8.1, indicating a high severity risk. The EPSS score is less than 1%, showing that the probability of exploitation in the wild is very low at present. The vulnerability is not listed in the CISA KEV catalog, reducing its current visibility to security operations. An attacker would need the ability to influence the theme’s include logic, which typically requires either direct access to the site or exploitation of another vulnerability that allows manipulation of the request parameters. The likely attack vector is through crafted URLs or form inputs that include the vulnerable include path. The overall risk is therefore high severity but low exploitation probability in the short term.