The Emphires theme contains a flaw where user-controlled input is passed to PHP's include or require function without proper validation, allowing inclusion of arbitrary local files. This weakness is identified as CWE‑98. When exploited, an attacker could read sensitive configuration files, view database credentials, or if the included file is PHP code, execute it on the server, thereby compromising data confidentiality and integrity.

WordPress installations that employ the Creatives_Planet Emphires theme version 3.9 or earlier are affected. All releases from the first documented version up to and including 3.9 contain the flaw.

No CVSS score is listed, EPSS data is unavailable, and the vulnerability is not included in the CISA KEV catalog. The likely attack vector involves a user‑supplied parameter that determines the file path used in the include/require call. Based on the description, it is inferred that the vulnerability could allow a remote attacker to read local files and potentially execute arbitrary PHP code if the site hosts writable PHP scripts, posing a moderate to high risk for publicly accessible WordPress sites that have not been updated.