The vulnerability is an improper control of the filename in a PHP include/require statement. An attacker could supply a crafted filename that is resolved on the file system, allowing inclusion of local files. Because the inclusion occurs within the theme’s PHP code, arbitrary code execution is possible after the file is included. The weakness is classified as CWE-98 and carries a CVSS score of 8.1, indicating high severity. The impact manifests as a loss of confidentiality, integrity, and availability for the affected site once the attacker gains code execution.

Coinpress theme for WordPress, developed by ThemeREX, is affected on all releases from the initial available version up to and including 1.0.14. Users who have installed any of these versions and are maintaining the theme with the default file include logic are impacted. No specific WordPress core versions are listed as affected.

The EPSS score is reported as less than 1%, suggesting a low probability of exploitation in the wild at the time of analysis. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is a local file inclusion triggered by a parameter sent to the theme or a crafted URL that influences the include path. Successful exploitation would require that the attacker can control the input to the file inclusion mechanism, a condition that can be met via a weakness in the theme’s producer or a misconfiguration of WordPress that allows remote file uploads or path manipulation.