Improper handling of filenames in the Bookory theme’s include/require statements allows a local file inclusion flaw. An attacker can manipulate a file path value supplied through the theme’s interface or URL parameters, enabling the theme to load arbitrary local files. The vulnerability could expose sensitive files or allow execution of malicious code embedded in those files, potentially compromising the confidentiality, integrity, or availability of the WordPress installation.

The vulnerability has been identified in the pavothemes Bookory WordPress theme, affecting all released versions up to and including 2.2.7. Users installing or currently running these versions should verify their installation to determine the presence of the affected code paths.

The CVSS score of 7.5 indicates a high severity for this local file inclusion flaw. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Even with a low exploitation likelihood, the impact of successful exploitation can be severe, as an attacker could read local files or execute code via crafted requests. The likely attack vector is remote, through a web request that triggers the vulnerable include function, but the exploitation requires that the attacker can influence the filename parameter provided to the theme.