This vulnerability, classified as CWE-98, arises from improper validation or control of filenames used in PHP include or require statements within Axiomthemes Confidant. It allows an attacker to perform local file inclusion (LFI), which can lead to disclosure of sensitive information, code execution, or denial of service. The CVSS 3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, high attack complexity, no privileges required, and no user interaction needed. The affected product versions include all up to 1.4. No patch or official remediation guidance is currently available from the vendor, and the product is not a cloud service.

Successful exploitation can lead to full compromise of the affected system's confidentiality, integrity, and availability by including local files through PHP include/require statements. This can expose sensitive data, enable remote code execution, or cause denial of service. The vulnerability is remotely exploitable without authentication but requires high attack complexity.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to vulnerable endpoints, applying web application firewall rules to detect and block suspicious include/require requests, and limiting file permissions to reduce impact. Monitor vendor channels for updates and patches.