A pathname normalization flaw in beeteam368’s VidMov WordPress theme allows an attacker to supply a crafted path containing repeated separators such as '.../...//' which can bypass directory boundaries. This vulnerability satisfies CWE-35 and can be exploited to read any file on the server that the web process can access, potentially exposing configuration files, credentials, or other sensitive data. The impact is significant because it enables non‑privileged attackers to disclose confidential information without authentication.

The flaw exists in the VidMov theme released by beeteam368 and affects all installations using versions up to and including 2.3.8. Any WordPress site that has deployed this theme and has not updated beyond 2.3.8 is vulnerable.

The CVSS score of 7.7 indicates a high severity risk, but the EPSS score of < 1% suggests that exploitation attempts are currently rare. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a web request that can supply the malicious path; the server’s file handling routine must be invoked by the theme’s functionality. Because the attack is remote and does not require privileged access, it poses a significant threat to confidentiality for affected sites.