Improper control of the filename used in PHP include/require statements in the ThimPress Sailing theme allows local file inclusion. This flaw permits an attacker to instruct the application to load files from paths chosen by the attacker, potentially exposing sensitive files and enabling arbitrary code execution. The vulnerability exposes the integrity and confidentiality of the hosted WordPress site and could be leveraged to gain elevated privileges or full site compromise. The weakness is identified as CWE‑98. The description indicates that local files can be included, and though the exact attack vector is not explicitly stated, it is inferred that an attacker with the ability to access the theme’s include interfaces—typically via a URL parameter or form input—could trigger the inclusion.

The vulnerability affects all deployments of the ThimPress Sailing WordPress theme older than version 4.4.6, including any release from the earliest available build through 4.4.5. Users running a WordPress instance with the affected theme are at risk, regardless of the specific site configuration, because the flaw resides within the theme’s PHP code.

With a CVSS score of 7.5 the vulnerability is considered high severity. The EPSS score is below 1%, indicating a low probability of exploitation in the near term, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack pathway involves providing a crafted input to the theme’s processing code, resulting in the inclusion of an arbitrary local file. An attacker who can influence the input—such as a malicious user who can access the theme’s settings or exploit a related path traversal—could use this to read sensitive files or execute code, depending on the server configuration and file permissions.