This vulnerability arises from improper validation or control of filenames in PHP include or require statements within the PawFriends WordPress theme. An attacker could exploit this to perform Local File Inclusion (LFI), potentially executing arbitrary code or accessing sensitive files on the server. The affected versions are up to and including 1.3. The CVSS 3.1 vector indicates network attack vector, high attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.

Successful exploitation could lead to disclosure of sensitive information, unauthorized code execution, and disruption of service on the affected WordPress site using the PawFriends theme. The high CVSS score reflects the critical nature of these impacts. No known exploits are reported in the wild as of the published date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or removing the affected theme to mitigate risk. Monitor official Mikado-Themes communications for updates regarding patches or mitigations.