The Turitor theme contains an improper control of the filename used in a PHP include/require statement, allowing an attacker to inject a local file path. This flaw is a classic Local File Inclusion vulnerability, which can enable the reading of arbitrary files from the server’s filesystem and potentially the execution of injected code if the included file is executed as PHP. The risk materializes when an attacker crafts a URL that points the include to a sensitive or executable file, granting them access to confidential data or remote code execution on host.

WordPress sites running the trippleS Turitor theme version 1.5.2 or earlier are affected. Any installation of Turitor below 1.5.3, regardless of other plugin or WordPress core versions, is vulnerable.

The CVSS score of 7.5 indicates a high severity, and the EPSS score of less than 1% shows a very low probability of current exploitation, but the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a crafted request that manipulates the theme’s include path to read or execute local files. Successful exploitation requires only the ability to request a URL on the vulnerable WordPress installation; local file access privileges are granted by the web server process.