The Vulnerability arises from improper control of the filename used in PHP include/require statements within the Wolmart theme. An attacker can supply a crafted value that causes the application to read arbitrary files on the server, potentially including PHP scripts that could be executed when the file is included. This flaw allows disclosure of sensitive data such as configuration files and, if attacker‑controlled PHP files are included, code execution with the privileges of the web server. The weakness corresponds to CWE‑98, "Improper Control of Filename for Include/Require Statement".

The issue affects the don‑themes Wolmart WordPress theme up to and including version 1.9.6. No specific sub‑versions are listed beyond the overall range, so all releases in that range are considered vulnerable.

The CVSS v3 score of 8.1 places the flaw in the high severity category, and the EPSS score of less than 1 % indicates a very low probability of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers would most likely target websites running the affected theme via unauthenticated HTTP requests that trigger the vulnerable inclusion logic. Successful exploitation would provide the attacker with arbitrary file access on the host, potentially leading to information disclosure or remote code execution if the attacker can place and include malicious PHP files.