Impact
The vulnerability is an unauthenticated Local File Inclusion in the ITactics WordPress theme versions 1.0 and earlier. An attacker can cause the web application to include files from the server file system, which may expose sensitive configuration files or allow the execution of arbitrary code if the attacker controls the included content. This flaw is identified by CWE-98.
Affected Systems
WordPress installations that use the ThemeREX ITactics theme with a version of 1.0 or earlier are affected. The issue applies to any site that has not upgraded the theme beyond the stated maximum vulnerable version.
Risk and Exploitability
The CVSS score of 8.1 signals a high severity, but the EPSS score indicates that the probability of exploitation is currently very low (<1%) and the vulnerability is not listed in CISA's KEV catalog. Despite this low likelihood, the flaw is unauthenticated, so an attacker could trigger it from any network location; the likely attack vector is via user‑supplied URLs or form inputs that are not properly sanitized, as inferred from the description.
OpenCVE Enrichment