Based on the description, this vulnerability in the AdForest WordPress theme arises from inadequate validation of the filename supplied to PHP’s include/require statements. An attacker can supply a crafted value that forces the theme to include any local file on the server, allowing the attacker to read sensitive configuration files or, if the included file contains PHP code, potentially execute arbitrary code on the server. The weakness is categorized as CWE‑98 and could lead to confidentiality and integrity compromises. The potential for remote code execution is inferred if the attacker supplies a PHP file containing malicious code.

The issue affects the AdForest theme developed by scriptsbundle. All released versions from the first build up to and including 6.0.11 are impacted. Site owners running these versions on a WordPress installation should verify whether they are using an affected theme.

The CVSS score of 8.1 classifies this flaw as high severity. The EPSS score is reported as less than 1%, indicating a very low current exploitation probability. It is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers would need to influence the include path, most likely through a crafted request to a publicly accessible page served by the theme, and the flaw does not require login or elevated privileges. The possibility of remote code execution is inferred from the vulnerability description, making the threat noteworthy despite the low exploitation probability.