The vulnerability is an improper control of filenames supplied to PHP include or require statements within the ThemeREX Gable WordPress theme. This weakness, identified as CWE‑98, grants the ability to have PHP include a local file chosen by an attacker. The CVSS score of 8.1 indicates a high potential impact; including a local file can disclose sensitive data or, if the file contains executable code, could result in code execution. The documentation notes that a local file can be included but does not explicitly confirm that arbitrary PHP code execution is guaranteed. However, based on PHP’s handling of included files, it is reasonable to infer that executable files could be run, though this outcome is not stated directly.

All releases of the Gable theme from its initial version up to and including version 1.5 are affected. The affected product is the WordPress theme Gable by ThemeREX. No specific patch versions are listed; therefore any installation using a version equal to or older than 1.5 is vulnerable.

The EPSS score of less than 1 % signifies a very low probability of active exploitation, and the vulnerability is not listed in the CISA KEV catalog. The flaw involves an uncontrolled filename used in a PHP include. The likely attack vector is an unauthenticated HTTP request that supplies a crafted filename to the theme’s include logic. If successfully exploited, the high CVSS score reflects potential confidentiality or integrity compromise or code execution. The overall risk remains high severity but with a currently low likelihood of exploitation.