The Greenmart WordPress theme up to version 4.2.11 contains an improper control of the filename used in PHP include/require statements (CWE‑98). This flaw can enable an attacker to supply a crafted argument that causes the application to read or execute files from the local file system. If the attacker injects code into a readable file or writes a malicious file to a path that is later included, this can lead to the execution of arbitrary code or disclosure of sensitive data.

The vulnerability affects the Greenmart theme supplied by thembay. Versions ranging from the initial release through 4.2.11 are impacted. Administrators using any of these releases on a WordPress site are potentially exposed.

The CVSS score of 7.5 indicates a high severity level. The EPSS score of less than 1% signals a low probability of exploitation at this time, and the issue is not listed in CISA’s KEV catalog. The likely attack vector is a local file inclusion that is triggered via web input to the theme; it is inferred that the attacker must be able to supply an input value that influences the include path, possibly through a publicly reachable page. Because the exploit relies on local file access, initial compromise may require that the attacker can write files to the server or find writable directories, but once achieved, the impact can be significant.