This vulnerability in PeakShops arises from insufficient validation of filenames used in PHP include or require statements, enabling PHP Local File Inclusion. The flaw affects versions before 1.5.9 and can be exploited remotely without authentication, but requires high attack complexity. Successful exploitation could lead to complete system compromise, including disclosure and modification of sensitive data and disruption of service. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability.

Exploitation of this vulnerability allows an unauthenticated remote attacker to include local files on the server, potentially leading to arbitrary code execution, data disclosure, and service disruption. The impact is rated high due to the potential for full system compromise. No known active exploitation has been reported.

Patch status is not yet confirmed — no official patch or vendor advisory is currently available. Users should monitor the vendor's communications for updates and apply any official fixes once released. Until then, restricting access to vulnerable endpoints and applying web application firewall rules to block suspicious include requests may reduce risk.