The vulnerability is introduced by improper control of the filename in a PHP include/require statement within the jwsthemes FreeAgent theme. This flaw exists because the theme accepts a user-supplied filename and directly passes it to an include/require call without adequate validation or sanitization; as a result, an attacker can compel the server to include and potentially execute arbitrary local files. The weakness is classified as CWE-98, which covers improper handling of file names. When an attacker succeeds, they may read sensitive files or inject malicious code that runs in the context of the web application, jeopardizing confidentiality and integrity of the site contents and potentially allowing further compromise of the hosting environment.

The affected product is the FreeAgent theme sourced from jwsthemes. All releases from the initial version up to and including 2.1.2 are vulnerable. No other vendors or products are listed, and version 2.1.3 or later is presumed to contain the fix, effectively ending the public vulnerability window for each newer release.

The CVSS score of 8.1 places the vulnerability in the high severity range, indicating that exploitation would likely cause significant consequences such as data exposure or code execution. The EPSS score of less than 1% indicates that, at the time of analysis, the probability of active exploitation is very low, and the issue is not included in the CISA KEV catalog. Based on the description, the likely attack vector is a web‑based request that supplies a malicious filename parameter to a theme function, and the attacker would need some ability to invoke the vulnerable code path, such as access to a publicly exposed URL or a compromised account with sufficient privileges.