The TanTum WordPress theme contains an improper control of the filename parameter used in a PHP include/require statement, allowing an attacker to influence the file path that is loaded by the server. This flaw can lead to the inclusion of local files, exposing sensitive system files, configuration data, or potentially allowing execution of arbitrary code if a remote attacker can craft a suitable include path. The CVSS score of 8.1 indicates high severity, and the CWE-98 classification confirms the weakness in file inclusion practices.

The vulnerability affects the TanTum WordPress theme by AncoraThemes, versions from the earliest release through and including 1.1.13. Any WordPress installation using a compromised version of this theme is at risk, regardless of other security controls, since the flaw is tied to the theme's core files.

The EPSS score is below 1%, implying a low overall exploitation probability at this time, and the issue is not listed in CISA's KEV catalog. However, the high CVSS value suggests a serious potential impact if exploited. The most likely attack vector is via a web request that supplies a crafted filename to the theme's include logic; local file inclusion can be leveraged to read sensitive files or, in the worst case, inject malicious code if the attacker controls a file with server-side execution permission. The vulnerability requires the user to have access to a vulnerable website and to be able to manipulate the include parameter, so it is an exploit that originates from the web application context.