The vulnerable theme contains a file inclusion mechanism that fails to sanitize the filename supplied through user input. This flaw permits a local file inclusion (LFI) that can read arbitrary files from the server’s filesystem and, if a PHP file is delivered to the target, can lead to remote code execution or privilege escalation. The affected code is triggered by theme functions that use PHP include/require statements without proper validation of the file path parameter, which is a classic example of CWE‑98. Consequently, a malicious actor who can influence the inclusion path is able to compromise the confidentiality, integrity, and availability of the entire site.

WordPress sites that have installed ThemeREX’s Tediss theme version 1.2.4 or earlier are impacted. The vulnerability applies to every instance of the theme, regardless of who manages the WordPress installation, because the flaw is embedded in the core template files of the theme itself.

The CVSS v3 base score of 8.1 reflects a high severity, and the EPSS score of less than 1% indicates a low current likelihood of exploitation in the wild, though the potential impact remains severe. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no active widespread exploitation reports. The attack vector is likely local to the web application’s code flow; an attacker must be able to supply a controlled input that is interpreted as a file path in the inclusion routine. If successful, the attacker can read sensitive configuration files or upload a malicious PHP script that is subsequently executed, resulting in full control of the site. The absence of a public exploit combined with the high CVSS rating warrants prompt mitigation to avoid future exploitation.