The vulnerability is an improper control of the filename in a PHP include/require statement, allowing a local file inclusion attack. This flaw can enable an attacker to read arbitrary files on the server, such as configuration files containing database credentials, and may provide a path to execute malicious code depending on server configuration. The core weakness is CWE‑98 and the impact is a leakage of sensitive data and potential escalation to code execution.

It affects installs of the Dream‑Theme The7 WordPress theme up to, but not including, version 12.8.1.1. WordPress sites using any pre‑12.8.1.1 build of The7 are susceptible to the flaw.

The CVSS score of 7.5 indicates a high severity, yet the EPSS score of less than 1 % signifies a very low probability of exploitation in the wild, and the vulnerability is not listed as a known exploited vulnerability. The attack vector is local file inclusion, generally triggered by a controlled input that determines the path of an included file; the flaw exists in server‑side PHP code and therefore requires the attacker to have an entry point that can influence the include path. If successfully leveraged, an attacker could read sensitive configuration files or, in conjunction with other weaknesses, execute code on the server.