The vulnerability arises from an improper control of filenames for include/require statements in the Mikado-Themes Biagiotti theme. This weakness, classified as CWE‑98, allows an attacker to influence the file path passed to PHP's include statements, leading to local file inclusion. If exploited, an actor could read sensitive configuration files, view source code, or potentially execute injected code, thereby compromising the confidentiality and integrity of the WordPress installation.

Affected systems are installations that use the Mikado-Themes Biagiotti WordPress theme version prior to 3.5.2. The vendor documentation lists affected versions as any version from the original release up through just before the 3.5.2 release. Site owners using any of those versions should check their theme version and protect the site accordingly.

The CVSS score of 8.1 indicates high severity. The EPSS score of less than 1% suggests that the probability of exploitation in the wild is currently very low, and it is not listed in the CISA KEV catalog. The likely attack vector is local, requiring attacker control of the web server file system or the ability to supply crafted requests to the theme. Because the weakness permits the inclusion of arbitrary local files, any compromise of the web application or server could be leveraged to read or execute malicious code.