The vulnerability allows a malicious actor to trigger local file inclusion via an improper filename control in the WordPress LoveDate theme. This flaw can lead to arbitrary file read and, if the attacker can supply PHP code, remote code execution. The weakness is a classic PHP LFI scenario tied to CWE‑98. The impact is limited to files accessible on the web server, but in environments where user‑controlled files are writable, the risk escalates. The description indicates the problem originates from an include/require statement that does not sanitize the path parameter, permitting inclusion of unintended local files.

The defect is present in the LoveDate theme supplied by jwsthemes for WordPress, affecting all versions from the earliest release up through 3.8.5. Any WordPress installation deploying this theme without patching to 3.8.6 or later is susceptible. No specific CPE strings were listed, but the issue applies to any WordPress instance running the affected theme.

The CVSS base score of 8.1 classifies the flaw as high severity, while the EPSS score below 1% indicates currently a low probability of exploitation in the wild. The vulnerability is not in the CISA KEV catalog, suggesting no publicly available exploits are known. Attackers would need to craft a request that manipulates the filename parameter to include a local file; the description implies a typical LFI attack vector via a URL or form input. The risk is therefore moderate to high for organizations that cannot deprecate or patch the theme promptly.