The Yacht Rental theme from ThemeREX contains an improper control of filename in its PHP include/require logic, enabling local file inclusion for versions up to 2.6. An attacker can manipulate the requested filename, causing the server to include and potentially execute arbitrary local files. This can lead to disclosure of sensitive configuration files, user data, or, if a PHP file is included, remote code execution within the context of the web application. The flaw directly threatens confidentiality, and, depending on the files accessed, could also affect integrity and availability. The vulnerability is a classic example of CWE‑98, which focuses on unsafe file inclusion and path traversal issues.

WordPress sites using the ThemeREX Yacht Rental theme with a version number of 2.6 or earlier are affected. No further sub‑version details are provided, so any deployment of the theme as supplied in the 2.6 release or earlier must be considered vulnerable.

The CVSS score of 8.1 indicates a high severity with full network exposure. The EPSS score of less than 1% suggests that while the exploitation likelihood is currently low, it is not negligible. The vulnerability is not listed in the CISA KEV catalog, but the remote nature of an HTTP request to trigger the include makes it accessible to unauthenticated users. An attacker could craft a URL with a tampered parameter to point the include to a local file such as /etc/passwd, a server configuration file, or a PHP script that may lead to code execution. Thus, systems should be treated as high risk until mitigated.