Impact
The issue is an unauthenticated Local File Inclusion flaw in WordPress ThemeREX Gunslinger versions 1.7 and earlier. A request parameter handled by the theme is passed directly to an include call without validation, allowing an attacker to specify any file path. This can be used to read sensitive files such as configuration files. The CVE description does not explicitly mention code execution; it only indicates that arbitrary file access is possible.
Affected Systems
All WordPress sites that have ThemeREX Gunslinger theme 1.7 or older installed and active. The vulnerability exists regardless of the underlying operating system or web server, as it is triggered by the theme’s PHP code.
Risk and Exploitability
The CVSS score of 8.1 places the flaw in the high severity category. EPSS is not available and the issue is not listed in the CISA KEV catalog. The likely attack vector is inferred to be an unauthenticated HTTP request that manipulates the include path through a vulnerable parameter. Because no authentication is required and the flaw resides in the theme code, the threat remains significant for any publicly accessible site running the affected version.
OpenCVE Enrichment