A vendor‑supplied WordPress theme, Imba, contains an unauthenticated local file inclusion flaw that allows an attacker to request arbitrary files on the server. The flaw, identified as CWE‑98, can lead to exfiltration of sensitive configuration files or, if the attacker is able to place a malicious script and force its inclusion, remote code execution. The vulnerability does not require user authentication, and the flaw is exercised through standard request parameters in unprotected URLs. The impact is primarily on confidentiality and integrity of server files, with the potential to compromise the entire WordPress installation if exploitation succeeds.

The problem exists in all installations of the Imba theme version 1.5.0 and earlier. WordPress sites that have not upgraded the theme beyond 1.5.0 remain at risk. No other vendors or products are currently affected according to the CNA data.

The vulnerability is rated with a CVSS score of 8.1, indicating high severity. While an EPSS score is not available, the absence of a low exploitation probability rating combined with the unauthenticated nature of the LFI and lack of mitigations in affected sites makes it a likely target for automated scanners. The vulnerability is not listed in the CISA KEV catalog, but its impact and ease of exploitation suggest that attackers may already be probing for it. Successful exploitation could read critical files or, if file upload is also feasible, lead to remote code execution. The attack vector is likely through crafted HTTP requests pointing to sensitive server files and can be carried out by anyone with network access to the web server.