The Dr.Patterson theme contains an include or require statement that uses a filename derived directly from user input without proper validation. This design flaw permits a local file inclusion (LFI) attack, enabling an attacker to load arbitrary files from the server filesystem. The description indicates that an attacker could potentially read sensitive data or execute malicious code by including PHP files. Based on the description, it is inferred that an LFI could be used to read restricted files or, if an attacker can craft a PHP file path, achieve code execution. The vulnerability is identified as CWE‑98, which addresses improper control of a filename used in include/require operations.

The vulnerability affects the ThemeREX Dr.Patterson WordPress theme for all releases up to and including version 1.3.2. Sites running any of these releases are potentially exposed. The issue is documented as affecting the theme from an unspecified starting version through 1.3.2, meaning any deployment of the theme older than or equal to 1.3.2 is affected.

The CVSS score of 8.1 classifies the vulnerability as high severity, signaling a significant risk to confidentiality, integrity and availability if exploited. The EPSS score of less than 1% indicates a low but non‑zero likelihood of active exploitation in the wild. Because the flaw is a local file inclusion in a WordPress theme, an attacker generally needs a web request that triggers the vulnerable include. This may presuppose authenticated access or the exploitation of another weakness that provides sufficient input. Based on the description, it is inferred that, if successful, the LFI could allow reading privileged files or executing PHP code, effectively providing remote code execution on the host.