The Mikado‑Themes Fleur WordPress theme contains a flaw where user‑supplied input is passed directly to PHP include or require functions without proper validation. This improper control of the filename, identified as CWE‑98, allows an attacker to read any file located on the server that the web server can access. The result is a local file inclusion vulnerability that can expose configuration files, passwords, or other sensitive data, compromising the confidentiality of the site.

All installations of the Fleur theme with a version equal to or lower than 2.2.1 are impacted. The flaw was present in every release of the theme from its initial version through 2.2.1. Sites that currently activate the Fleur theme and have not applied a newer release are at risk. The vulnerability is not vendor‑mandated to affect any other WordPress component.

The CVSS score of 8.1 classifies this as a high severity vulnerability. The EPSS score of less than 1 % indicates a very low observed exploitation probability at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via a crafted query string or form field that triggers the unvalidated include or require call. Based on the description, it is inferred that the attacker can supply arbitrary file paths to the theme’s include/require functions, allowing the reading of internal files such as configuration files or other data that should remain hidden. Because this flaw only enables local file inclusion for reading, it does not provide direct remote code execution unless the attacker can subsequently execute the included content or obtain further credentials.