This vulnerability, identified as CWE-98, arises from improper control of filenames used in PHP include or require statements within the ThemeREX Gunslinger product. It allows unauthenticated attackers to perform local file inclusion (LFI) on versions up to and including 1.7. The CVSS 3.1 base score is 8.1, indicating high severity with network attack vector, high attack complexity, no privileges required, no user interaction, and impacts to confidentiality, integrity, and availability. No known exploits are reported in the wild, and no vendor-provided patch or remediation is currently documented.

Successful exploitation of this vulnerability can lead to disclosure of sensitive files, modification of application behavior, and potentially full system compromise due to the ability to include arbitrary local files. The vulnerability affects confidentiality, integrity, and availability of the affected system. Since the attack requires no authentication, it poses a significant risk if the vulnerable version is exposed to untrusted networks.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the vulnerable application to trusted networks only and monitor for suspicious activity. Avoid exposing the affected versions publicly. Review and harden PHP configurations to limit file inclusion risks where possible.