The vulnerability is an improper control of filename for the include/require statement in the PHP code of the Soledad WordPress theme, described as a PHP Local File Inclusion flaw. An attacker who can influence the filename used by the theme could cause the theme to include arbitrary files from the server’s filesystem, potentially leading to the execution of malicious code, local file disclosure, or other information‑leakage attacks. This weakness is classified as CWE‑98 and can affect confidentiality, integrity, and availability of the affected WordPress installation.

All WordPress sites that install the PenciDesign Soledad theme with a version up to and including 8.7.0 are affected. No specific patch version is mentioned in the CNA data; the issue applies to every release from the earliest known version up through 8.7.0.

The CVSS score of 7.5 indicates a moderate‑to‑high severity problem. The EPSS score of less than 1% suggests that exploitation is unlikely at the time of this analysis. Because the vulnerability is listed as a Local File Inclusion, a successful exploit would require an attacker to discover and target the theme’s filename parameter, which is typically exposed via publicly accessible URLs or theme configuration panels. If the attacker can successfully manipulate the include logic, they could read sensitive files or cause code execution. The vulnerability is not listed in the CISA KEV catalog, further indicating a lower immediate exploitation risk, but the potential impact remains high.