An improper control of the filename for PHP include/require statements in the ThemeREX Dermatology Clinic theme allows an attacker to exploit a local file inclusion flaw. By manipulating the file path used in the plugin’s code, a remote user can incorporate arbitrary files from the host server into the executed PHP request. This can lead to disclosure of sensitive data such as configuration files, private credentials, or potentially allow code execution if the attacker can write a file that is subsequently included. The weakness corresponds to CWE‑98: Improper Control of Filename for Include/Require Statements.

WordPress sites running the ThemeREX Dermatology Clinic theme version 1.4.3 or earlier are affected. The vulnerability exists from the first released version through 1.4.3, and it does not affect later releases such as 1.4.4 or newer.

The CVSS score of 8.1 categorizes this vulnerability as high severity, indicating significant impact on confidentiality and integrity. The EPSS score of less than 1% suggests that, at present, exploit availability is low, yet the inherent risk remains because the flaw can be triggered via crafted URLs or inputs. The CVE is not listed in the CISA KEV catalog. Exploitation typically requires network access to the WordPress site and the ability to manipulate query parameters or craft requests that reference the vulnerable include path. The impact extends to any user who can access the affected endpoint, potentially allowing disclosure or alteration of system files.