Improper control of filenames used in PHP include/require statements within the Mikado‑Themes TopScorer theme allows attackers to perform local file inclusion. By manipulating the include path, an adversary can read arbitrary files on the server or trigger code execution if malicious files are included. This weakness can expose confidential data, compromise site integrity, or allow arbitrary code to run, thereby jeopardizing confidentiality, integrity, and availability of the affected WordPress installation.

The vulnerability affects the WordPress TopScorer theme developed by Mikado‑Themes, for all versions from the initial release through version 1.2. Systems running any of these versions are susceptible.

The CVSS score of 8.1 indicates high severity. The EPSS score is below 1%, suggesting a low yet non‑zero likelihood that the flaw is currently being exploited in the wild. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. While the description indicates a local file inclusion, the typical exploitation path would involve a remote attacker sending a crafted HTTP request to the website, exploiting the theme’s insecure file handling. Pre‑conditions include the theme being active and the attacker having a way to influence the include path, such as a vulnerable query parameter or file upload.