The vulnerability in Select‑Themes Stockholm Core allows an attacker to manipulate the file name used in an include or require statement. Because the plugin does not properly validate or sanitize this value, an arbitrary local file can be loaded at runtime. An attacker who can influence the value may trigger the execution of local code, read sensitive files, or otherwise compromise the integrity of the WordPress installation. The weakness is identified as CWE‑98.

All releases of the Stockholm Core WordPress plugin from early versions through 2.4.6 are affected. The affected vendor is Select‑Themes and the product is the Stockholm Core plugin. The public CVE notes indicate the problem applies to every version up to and including 2.4.6; later versions are not listed as vulnerable.

The CVSS score of 7.5 classifies the flaw as high severity, while the EPSS score of less than 1% suggests very low exploitation probability at present. The vulnerability is not listed in CISA’s KEV catalog. Attackers would need to provide a crafted input that is used as the filename in an include/require call, which likely requires local or authenticated access to the WordPress instance. As a result, the risk is significant for systems that have the vulnerable plugin installed and are exposed to untrusted input or users that can influence plugin parameters.