PHP Scripts Mall Open Source Real-estate Script 3.6.2 allows remote attackers to list the wp-content/themes/template_dp_dec2015/img directory.