The CVE describes an Improper Control of Filename for Include/Require Statement in PHP, which permits Local File Inclusion in the NooTheme Jobmonster WordPress theme up through version 4.8.2. The flaw allows an attacker to cause the theme’s PHP code to include arbitrary local files present on the web server. If the chosen file contains sensitive configuration data, source code, or executable content, the attacker may gain read access to hidden files or potentially execute malicious code, compromising confidentiality and integrity of the site. The weakness is identified as CWE‑98.

Any WordPress installation that has the NooTheme Jobmonster theme deployed and is using a version 4.8.2 or earlier is affected. The vulnerability exists across all prior releases as well, independent of the WordPress core version or configuration, making the theme itself the primary point of exposure.

The CVSS v3.1 score of 7.5 signals high severity. The EPSS score is below 1 %, indicating that while exploitation is possible, it is currently considered unlikely. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been reported yet. Attackers would need to identify a touchpoint in the theme that passes user data to the include() or require() functions; this path is inferred from the description rather than explicitly documented. Successful exploitation would require appropriate file system access and could lead to remote code execution if a malicious file is served or locally crafted executable content is included.