The flaw is an improper control of the filename used in a PHP include/require statement within the LoftOcean PatioTime theme for WordPress. This weakness, identified as CWE‑98, permits an attacker to define an arbitrary file path, causing the PHP engine to load a local file. If the attacker can supply a writable file containing PHP code, the resulting file inclusion can be leveraged to execute arbitrary code on the server. The vulnerability also enables disclosure of local files, exposing sensitive data such as credentials or private keys.

All installations of the LoftOcean PatioTime theme that are running a version older than 2.1 are impacted. This includes every release from the theme’s earliest version up through 2.0.x. WordPress sites that have not upgraded the theme beyond 2.1 are therefore vulnerable.

The CVSS score of 8.1 reflects a high severity for this local file inclusion, as it can be triggered without user interaction and may lead to code execution. The EPSS score of "< 1%" shows that current exploitation activity is low, but the pathway remains open. The flaw is not listed in the CISA KEV catalog. The attack vector is inferred to be through a crafted web request that manipulates the filename supplied to the include/require call, likely via a query parameter or a custom URL path processed by the theme. An unauthenticated attacker with access to such a parameter can read or read/write files on the server, and if a writable file can be placed in the affected directory, can execute PHP code for remote code execution.