The vulnerability arises from improper validation of filenames used in PHP include/require statements within the Golo theme. This flaw permits an attacker to manipulate the file path supplied to an include, resulting in a Local File Inclusion (LFI). Through LFI, an attacker can read arbitrary files on the server, potentially exposing sensitive configuration data, credentials, or application code. In environments where the included files are executable or further processed, the LFI can also enable Remote Code Execution, escalating the impact from data disclosure to full system compromise. The root weakness is associated with CWE‑98, indicating a failure to safely handle include paths.

The vulnerability affects all installations of the uxper Golo WordPress theme older than version 1.7.5. Users running any of these versions should inspect whether the theme is present in their WordPress instance and determine if they have the listed and older versions installed.

The CVSS score of 9.8 reflects the high severity of this flaw, and the very low EPSS score (<1%) indicates that, as of the last measurement, exploitation attempts are currently scarce. However, the combination of a severe local file inclusion flaw and the potential for escalation to code execution makes this a critical risk. The vulnerability is not listed in the CISA KEV catalog, but its impact warrants immediate attention, particularly in systems exposed to untrusted input that might reach the theme’s include logic. Attackers would need to craft a request that passes a manipulated filename to the theme’s inclusion logic; no known active exploits have been publicly reported, yet the nature of the flaw makes it a strong candidate for future exploitation.