The Besa WordPress theme contains an improper validation of filenames used in PHP include/require statements. This weakness, classified as CWE‑98, allows the execution of local file inclusion attacks that give an attacker read access to arbitrary files on the web server. With such access, sensitive configuration information, database credentials, or other secrets could be revealed, and the attacker could use the information to mount further attacks such as remote code execution or privilege escalation.

All versions of the Besa theme from its initial release through 2.3.15 are impacted. The CVE identifier lists the entire range up to 2.3.15, and no later releases contain a fix, so any installation employing a version at or below 2.3.15 remains vulnerable. The vendor has not provided an official patch or advisory, so the responsibility falls on administrators to upgrade or otherwise mitigate.

The CVSS score of 7.5 denotes a high severity vulnerability. However, the EPSS score is below 1 %, indicating that the probability of exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog, so no widely known exploit exists. It is inferred that the attack vector involves a user‑controlled parameter within the WordPress site that is passed to the include/require logic. If exploited, it could lead to data disclosure and potentially serve as a foothold for more advanced attacks.