The vulnerability arises from improper control of filenames used in PHP include/require statements within the TieLabs Jannah theme, allowing an attacker to include arbitrary local files on the server. Exploiting this local file inclusion can expose sensitive data such as configuration files, credentials, and potentially serve as a launchpad for further attacks, including code execution or privilege escalation. This weakness is consistent with CWE‑98: Improper Control of Filename for Include/Require Statement.

TieLabs Jannah theme for WordPress is affected. All versions from the initial release (n/a) through version 7.6.3, inclusive, contain the flaw. The theme is commonly used on WordPress installations, meaning any site employing these theme versions is at risk; no other vendors or products are listed.

The CVSS score of 8.1 indicates high severity, while an EPSS score of less than 1% suggests low likelihood of exploitation in the near term. The CVE is not part of the CISA KEV catalog. Vulnerability exploitation would typically occur via the web interface where the theme is active, by sending crafted requests that trigger the vulnerable include. No authentication requirement is mentioned, implying that unauthenticated or low‑privilege users could potentially succeed, with the ultimate impact depending on file system permissions and web server configuration.