Edge-Themes Overworld version 1.3, and earlier releases, contain an improper control of the filename in an include/require statement. The flaw allows an attacker to specify arbitrary local file paths that the PHP runtime will include, possibly leading to disclosure or execution of unintended code. These conditions map directly to CWE-98, where an attacker can get the application to process and serve sensitive files or run malicious scripts.

All installations of the Edge-Themes Overworld theme up to and including version 1.3 are affected. The theme provides its override files in a WordPress installation, and the vulnerability resides in the theme’s PHP files that handle file inclusion. No other versions or themes are known to contain the issue as defined by the CNA.

The CVSS score of 8.1 classifies this flaw as high severity. The EPSS score of less than 1 percent indicates that while exploit examples are scarce, the possibility exists for a targeted attack. The vulnerability is not currently listed in CISA’s KEV catalog, suggesting no widespread exploit activity has been documented yet. The likely attack vector is not explicitly documented in the CVE data, but based on the flaw description it appears to involve user-controllable input that dictates the filename used in an include/require call—such as request parameters or cookie values that the theme may accept. This inference is made from the nature of the flaw. Successful exploitation could result in arbitrary file reading or execution of code within the WordPress context.