The WordPress Bassein theme implements PHP include and require statements that accept filenames supplied by clients without proper filtering. This flaw, identified as CWE-98, allows an attacker to cause the theme to read and include arbitrary files from the server’s filesystem. If a target of the include contains executable PHP code, the attacker can read or execute it. The CVE description specifically states that the vulnerability can lead to PHP Local File Inclusion; it does not explicitly confirm that remote code execution is always achievable, but it is inferred that execution is possible when the included file contains PHP.

All WordPress sites that have installed ThemeREX Bassein version 1.0.15 or earlier are affected. The issue applies to each instance of the theme across any website that has not applied an upgrade or patch that resolves the insecure include logic.

The flaw carries a CVSS score of 8.1, indicating a high severity level. The EPSS score is below 1 %, suggesting a low likelihood of seeing exploitation in the wild at present, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to supply a controlled filename via an HTTP request that is then passed directly to the include/require call. Because the trigger is remote and does not depend on administrative credentials, a remote attacker can activate the flaw. While the description allows inference that arbitrary PHP code could be executed, the guarantee of remote code execution is not stated explicitly.