An improper control of filename in an include/require statement within the ApusTheme Famita WordPress theme allows an attacker to supply a path that points to an arbitrary local file on the server. The flaw can lead to reading of sensitive files or execution of malicious code on the machine, as the PHP script processes the unvalidated filename. This vulnerability is classified as CWE-98 and can have a high impact on confidentiality, integrity, or availability for sites that rely on the affected theme.

Affected is the ApusTheme Famita WordPress theme, all releases through version 1.54. Site owners who have installed any of these releases are potentially vulnerable, while versions newer than 1.54 are not impacted by this issue.

The CVSS base score is 8.1, indicating high severity. The EPSS score of less than 1% suggests that the likelihood of exploitation is low with the available data, and the vulnerability is not listed in the CISA KEV catalog. Attackers would likely need to exploit a crafted URL or theme configuration that triggers the improper include, enabling them to read local files or run code if the server permits. The exact attack path is inferred from the description, as the CVE does not detail specific prerequisites beyond the theme’s inclusion logic.