The vulnerability in Axiomthemes SmartSEO theme arises from improper control of the filename used in PHP include/require calls. This flaw allows an attacker to force the theme to load arbitrary files from the server, potentially revealing sensitive configuration files or, when combined with additional exploitation techniques, executing malicious code on the host. While the described issue is a local file inclusion (LFI), the nature of the include statement means that an attacker who can influence the target parameter may gain unintended access to files that are otherwise protected, compromising confidentiality and integrity of the system.

The SmartSEO WordPress theme provided by Axiomthemes is affected in all releases up to and including version 2.9. No affected versions beyond 2.9 are listed, indicating that updates later than 2.9 may have mitigated this flaw.

The CVSS score of 8.1 classifies this flaw as high severity. The EPSS score of less than 1% suggests that exploitation is currently rare, and the vulnerability is not listed in CISA’s KEV catalog. However, the likely attack vector is a crafted HTTP request that supplies an uncontrolled file path to the theme’s inclusion logic. If an attacker can manipulate this path, they may read arbitrary files or trigger malicious code execution. Consequently, while the immediate risk may be low due to low exploitation probability, the potential impact remains significant.