This vulnerability, identified as CWE-98, arises from improper control of filenames used in PHP include or require statements within the ThemeREX Snow Club product. It allows unauthenticated attackers to perform local file inclusion, potentially enabling remote file inclusion attacks. The affected versions are Snow Club 1.1 and earlier. The CVSS 3.1 base score is 8.1, indicating high severity, with network attack vector, high complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No vendor advisory or patch information is currently available, and no known exploits are reported in the wild.

Successful exploitation could allow an unauthenticated attacker to include and execute arbitrary files on the server, leading to full compromise of confidentiality, integrity, and availability of the affected system. This can result in remote code execution or other severe impacts.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to vulnerable endpoints and consider applying temporary mitigations such as disabling vulnerable functionality or implementing web application firewall rules to block malicious input patterns related to file inclusion.