Zozothemes Corpkit theme contains an improper control of filename for include/require statements, allowing a local file inclusion (LFI) attack. An attacker can manipulate user input to reference arbitrary files on the server and read their contents. If the included file contains PHP code, the attacker may achieve remote code execution or elevate privileges, compromising confidentiality, integrity, and availability of the WordPress site.

The vulnerability affects the Corpkit theme distributed by Zozothemes, specifically all releases from the earliest available version through version 2.0. Any site running these theme versions without the fix is potentially exposed.

The CVSS score of 7.5 indicates a high severity. The EPSS score of less than 1% suggests that at the moment the likelihood of exploitation is very low, and it is not listed in the CISA KEV catalog. The attack vector is most likely via a crafted URL or form that feeds a file path parameter to the theme’s include logic. The exploitation requires the attacker to send a request to the vulnerable site with a manipulated filename; no privileged user access is required, so the impact could affect any visitor with a valid session or even unauthenticated users, depending on the site’s configuration.