The Marra theme contains an improper control of a filename used in an include/require statement in PHP, allowing an attacker to induce the theme to load arbitrary files from the local system. If the attacker can trigger the inclusion of a PHP file that is under their control or a file that executes code, they may achieve remote code execution, or at a minimum read sensitive files, thereby affecting confidentiality, integrity, and availability of the application. Based solely on the description, the vulnerability does not specify a confirmed attack vector, but it is inferred that an attacker could trigger the flaw by supplying a crafted query string or input that is passed to the include/require call.

WordPress sites deploying the Mikado-Themes Marra theme version 1.2 or earlier are impacted. The vulnerability applies to any installation of the Marra theme from the earliest release through version 1.2, inclusive.

The CVSS score of 8.1 classifies this as a high‑severity flaw. However, the EPSS score of less than 1% indicates that, as of the current data, the probability of exploitation is low. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting that it has not yet been widely abused in the wild. The likely attack path involves a malicious user supplying a forged parameter that resolves to a local file path, triggering the vulnerable include/require statement. While the exploit requires the attacker to be able to send input to the application, the high severity rating warrants prompt attention.