The ITok WordPress theme contains an improper control of filename for the include/require PHP statement, allowing an attacker to direct the theme to include or read arbitrary files from the local filesystem. This Local File Inclusion flaw (CWE‑98) can expose sensitive site files such as configuration data or credentials, potentially giving the attacker broad visibility into the server and the ability to trigger further attacks if writable files exist or if the theme later processes remote content. The CVE description labels the issue as a PHP Remote File Inclusion vulnerability, but the actual effect is limited to local file inclusion, though chaining with other weaknesses could elevate the risk.

ApusTheme ITok for WordPress is affected. The vulnerability exists in all releases from the earliest known version through ITok version 1.1.42. Any WordPress site that installs or continues to use an ITok theme version 1.1.42 or older is vulnerable. The flaw does not impact other WordPress themes or plugins.

The flaw carries a CVSS score of 8.1, indicating a high potential impact if exploited. The EPSS score is less than 1%, reflecting a low current probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need to influence input that the theme processes—typically via query parameters or form data—to trigger the inclusion. The attack vector is remote via the web application, but the effect is confined to local file read unless other weaknesses are chained.