Elated-Themes Gaspard theme contains a flaw where an attacker can influence the filename used in PHP include/require statements. This inappropriate control of the filename permits the inclusion of arbitrary local files that may contain PHP code, potentially enabling remote code execution or disclosure of sensitive data. The weakness is classified as a Local File Inclusion vulnerability and has a CVSS score of 8.1, indicating a high severity impact when exploited.

Any WordPress site that has the Gaspard theme installed from the vendor Elated-Themes, with version 1.3 or earlier. No specific patch versions are listed beyond the fact that the issue affects all releases up to and including version 1.3.

The high CVSS rating reflects the significant risk to confidentiality, integrity, and availability should an attacker succeed. However, the low EPSS score (<1%) suggests that exploitation is currently uncommon. The vulnerability has not been catalogued by CISA's KEV list. Based on the description, the likely attack vector is local: an attacker able to influence the theme’s include paths—either through site configuration, user input, or preceding exploitation—could trigger the inclusion of malicious PHP files. Because the description indicates only local file inclusion, the threat is primarily confined to the server environment of the WordPress installation, but it can still lead to serious compromise through code execution. It is inferred that the attacker would need either authenticated access to the WordPress backend or a way to inject path parameters into the theme’s include logic. This inference is not directly stated in the CVE data and may vary per site configuration.