The vulnerability stems from an improper control of filenames used in PHP include/require statements within the Yungen theme. An attacker can supply a crafted filename during a web request, causing the theme to include unintended local files. This opens a window for the disclosure of critical files such as configuration files, database credentials, or other sensitive data stored on the server. Depending on file permissions and the ability to manipulate the included file, further steps could lead to remote code execution or other advanced attacks. The weakness aligns with the common vulnerability CWE-98 and carries a CVSS score of 8.1, indicating a high severity impact on confidentiality and integrity.

The issue affects all installations of the ThemeREX Yungen WordPress theme from its initial release up to version 1.0.12 inclusive. Any website using this theme within that version range is potentially vulnerable.

With a CVSS score of 8.1 the vulnerability is classified as high. The EPSS score of less than 1% suggests that, as of the latest data, the likelihood of exploitation is low, and the vulnerability is not currently in CISA's KEV catalog. However, the attack vector is local file inclusion, which is typically triggered via a crafted HTTP request to the affected theme, meaning an external attacker can attempt to exploit the flaw without needing prior access. The combination of high severity and potential for sensitive data exposure warrants immediate remediation.