The vulnerability is a Local File Inclusion flaw that allows an attacker to manipulate a file path used in a PHP include/require statement. If exploited, the attacker could read sensitive files such as configuration files or user passwords, and could potentially use the LFI to facilitate further code execution or data exfiltration. The impact breadth spans from confidentiality loss to possible escalation to full remote code execution, as the flaw can be leveraged to access files server‑side with the privileges of the web process.

WordPress sites that use the AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme from any version up to and including 1.2.5. Users of this theme should check whether their installation matches the affected range and includes the theme as the primary plugins or template package.

The CVSS base score of 8.1 designates a high severity vulnerability, while the EPSS of less than 1% indicates a currently low probability of exploitation. The flaw is not listed in CISA’s KEV catalog, suggesting no publicly known active exploitation. Attackers can trigger the flaw by crafting a request that causes the theme to include a file path influenced by user input. Successful exploitation requires that the web server permit the inclusion of local files via PHP, and that the target’s WordPress environment be reachable over the network.