Impact
An unauthenticated local file inclusion flaw exists in ThemeREX Gamic versions 1.15 and earlier. The vulnerability occurs when the theme’s core PHP code constructs file paths directly from user‑supplied parameters, allowing a crafted request to include any file stored on the web server. The flaw is aligned with CWE‑98 and, because it does not require authentication, an attacker can read sensitive files that are readable by the web server process.
Affected Systems
Any WordPress site that has installed the ThemeREX Gamic theme version 1.15 or an older release is vulnerable. The issue is isolated to the theme itself and does not depend on other plugins or themes. Site administrators should verify the installed theme version in their WordPress dashboard to determine exposure.
Risk and Exploitability
The vulnerability carries a CVSS score of 8.1, indicating high severity. No EPSS score is available, but the flaw is triggered by normal web requests and needs no authentication, so the likelihood of exploitation is considered high. The vulnerability is not listed in CISA KEV. Attackers can likely manipulate query string parameters or form fields processed by the theme, causing arbitrary local file read or inclusion.
OpenCVE Enrichment