The vulnerability arises from insufficient validation of the filename used in a PHP include/require statement within the ThemeREX Progress theme. This flaw, categorized as CWE-98, allows a malicious actor to instruct the server to include arbitrary local files when a user visits the site. The primary impact can include unauthorized disclosure of sensitive files such as configuration or database credentials and, in some scenarios, execution of malicious PHP code if a writable file can be injected. Even though the entry is labeled a "Remote File Inclusion" vulnerability, the implementation described indicates it is a local file inclusion that can be triggered remotely via crafted requests to the site.

The issue affects the ThemeREX Progress WordPress theme for all releases up to and including version 1.2. In particular, any site that has the theme installed with a version number of 1.2 or earlier is vulnerable. Versions released after 1.2 are not considered affected by the information currently available.

The CVSS score of 8.1 signals a high severity, reflecting the potential for significant confidentiality and integrity damage. However, the EPSS score is reported as less than 1%, indicating a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers are likely to leverage the vulnerable include mechanism via an externally craftable URL parameter, making the attack vector remote and accessible to unauthenticated users who can probe the website. Successful exploitation could expose sensitive data or enable code execution, hence the high CVSS score, but the low EPSS suggests it is not currently actively targeted.