Impact
The vulnerability in AirSupply theme versions 2.0.0 and earlier permits an unauthenticated attacker to trigger a local file inclusion (LFI). By manipulating input parameters, malicious actors can read arbitrary files on the server or, if writable PHP files can be included, potentially execute code. This flaw stems from insufficient input sanitization during file path construction.
Affected Systems
The issue affects WordPress sites using the ThemeREX AirSupply theme, specifically all releases 2.0.0 and earlier. Site owners using these theme versions are susceptible to LFI and must assess which precise release they are running.
Risk and Exploitability
The CVSS score of 8.1 indicates serious risk. The EPSS score is not available, so the exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local file inclusion via unsanitized input parameters, enabling read or potential execution of arbitrary files on the server (inferred from the description).
OpenCVE Enrichment