This vulnerability allows a local file inclusion in the PawFriends WordPress theme. By controlling the filename used in an include/require statement, an attacker can read arbitrary files from the webserver’s filesystem or attempt to execute PHP code from untrusted locations. The impact is potential disclosure of sensitive configuration data and, if the attacker can cause PHP code to execute, full remote code execution on the affected site.

The affected product is Mikado-Themes PawFriends – Pet Shop and Veterinary WordPress Theme, versions from the earliest available through and including 1.3. Site owners running any of those theme versions are impacted.

With a CVSS score of 8.1 the severity is high. EPSS indicates a very low probability of exploitation (<1%) at present, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is a local request to a theme URL that accepts an arbitrary filename parameter; successful exploitation requires the attacker to be able to send that request to the vulnerable site, which could be achieved via client‑side input or by leveraging additional weaknesses. The official CNA provides no workaround, so remediation hinges on applying the patch or upgrading the theme.