This flaw originates in an improper handling of filenames used in PHP include/require statements within the Innovio WordPress theme. As a result, attackers can influence the file path that the theme processes, enabling them to read any file on the server that is accessible to the web server process. This issue is a CWE‑98 vulnerability (Improper Control of Filename for Include/Require). If the included file contains executable PHP code, the attacker could potentially execute that code, which is inferred from the description of the vulnerability. This could lead to full compromise of the website. The vulnerability carries a high severity score of 8.1 according to the industry standard scoring system.

The issue affects the Mikado-Themes Innovio WordPress theme versions 1.7 and all earlier releases. No information is available for versions above 1.7, so any site running 1.7 or earlier is considered vulnerable.

The reported exploitation probability is less than 1%, indicating that widespread attacks are not common and the flaw is not listed in the known exploited vulnerabilities catalog. Still, the high severity underscores significant potential impact. An attacker can likely leverage crafted URLs or user‑supplied input that influences the include path, potentially without authentication if the theme does not enforce proper checks. Successful exploitation would permit the attacker to read sensitive configuration files or execute arbitrary PHP code, which is inferred from the vulnerability description, thereby compromising the entire website.