The ThemeREX Asia Garden WordPress theme up to version 1.3.1 contains an Improper Control of Filename for Include/Require Statement vulnerability (CWE‑98). User-controlled input is directly used in a PHP include, allowing an attacker to specify arbitrary local files that will be read and executed by the web server. This can lead to disclosure of sensitive data or execution of malicious code on the host, thereby granting remote code execution capabilities.

WordPress sites using the ThemeREX Asia Garden theme, any installed release from the initial public release through version 1.3.1. All affected installations run the vulnerable code without the presence of any mitigations provided by the theme.

The vulnerability has a CVSS score of 8.1 and an EPSS score of less than 1 %, indicating a low overall exploitation probability at present, and it is not listed in the CISA KEV catalog. An attacker can trigger the LFI by manipulating a URL parameter or form input that references the theme’s PHP files, potentially performing path traversal to read or execute arbitrary local files. The vulnerability is exploitable from the web server side and requires the theme to be in use; no authentication is explicitly required by the description but the exact scope is not defined. Given the high severity score, the risk remains high if the vulnerability is present, even though current exploitation likelihood appears low.