The Buzz Stone WordPress theme contains an improper control of file names for PHP include/require operations. This flaw allows local file inclusion, meaning an attacker can cause the theme to read arbitrary files from the server. If an attacker can trick the site into including a file that contains malicious PHP code, this could lead to remote code execution. The vulnerability can also be used to read log files, configuration files, or other sensitive data, impacting confidentiality, integrity, and potentially availability if the attacker can upload or modify files. The likely attack vector is through unsanitized request parameters or template files that construct the file path for inclusion, but the exact entry point is not documented in the available information.

AncoraThemes’ Buzz Stone – Magazine & Viral Blog WordPress Theme, all released versions up to and including 1.0.2 are affected. No specific sub‑version or patch level is listed as fixed, so any installation of the theme in this version range is vulnerable.

With a CVSS score of 8.1, the vulnerability is considered high severity. Although the EPSS score is less than 1%, indicating low probability of exploitation in the wild at the time of assessment, the lack of a KEV listing means no confirmed exploitation is documented. Given the nature of the flaw, an attacker with sufficient privileges or file upload capabilities could leverage local file inclusion to read or inject code, making the risk significant for any site that uses the vulnerable theme. The vulnerability tends to require direct access to the target site or the ability to influence the file path used by the theme, which could be achieved through existing untrusted input vectors or web forms that the theme processes. When combined with other weaknesses, such as insecure file upload mechanisms, the exploitability could increase, potentially leading to full remote code execution.