The vulnerability is an improper control of the filename used in PHP include/require statements (CWE‑98). In affected versions of the ThemeREX Tiger Claw theme, a user‑controlled parameter can dictate the file that is included, allowing the inclusion of arbitrary local files. The description indicates that if a PHP file is served by the inclusion, code execution within the application context could result. This inference is derived from the statement that the issue allows local file inclusion and the known consequences of LFI attacks. The primary impact is potential disclosure of sensitive files and possible remote code execution if the attacker can provoke the inclusion of a PHP file.

The WordPress theme Tiger Claw from ThemeREX is affected. All releases from its initial version through 1.1.14 contain the vulnerability. Any installation using a version equal to or older than 1.1.14 is vulnerable; newer releases are not impacted.

CVE carries a CVSS v3.1 score of 8.1, classifying it as high severity. The EPSS score is reported as <1%, indicating that exploitation in the wild is currently rare. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves supplying a crafted URL or input that alters the filename passed to include/require statements; this inference is made because the description states that the file name is improperly controlled. The exploitation does not require authentication, suggesting any user who can send a request to the vulnerable endpoint could potentially trigger the inclusion. Proper input validation or isolation would mitigate the issue.