The PenNews WordPress theme contains an improper control of the filename used in PHP include/require statements, which allows a local file inclusion (LFI) flaw. An attacker who can influence the filename can read or execute arbitrary files residing on the web server, potentially leading to disclosure of sensitive data or execution of malicious PHP code. The impact is limited to the web server hosting the affected theme but can be leveraged to compromise the entire website.

The vulnerability affects the PenciDesign PenNews theme for WordPress in all releases earlier than version 6.7.3. No other version identifiers are provided, so any installation of the theme before that update is considered vulnerable. The vendor and product are PenciDesign and PenNews respectively.

The CVSS score of 8.1 places this flaw in the high‑severity range, indicating significant risk to confidentiality, integrity, and availability. The EPSS score of less than 1% suggests that, as of the latest data, the probability of real‑world exploitation is low, and the flaw is not yet listed in the CISA KEV catalog. The attack vector is inferred to be local or remote component interaction through the theme’s file inclusion points; an attacker would need to inject a crafted request that supplies a filename to the vulnerable include/require. While the flaw itself does not provide a guaranteed remote code execution path, it can be a stepping stone to other attacks if additional weaknesses exist.