AncoraThemes ShieldGroup theme version 2.13 and earlier contains a flaw where the filename used in PHP include/require statements is not properly validated, leading to a classic CWE‑98 vulnerability. This allows an attacker to successfully cause the application to include an arbitrary local file, potentially exposing sensitive configuration files or files containing PHP code that could be executed under the web server’s context. The impact is therefore significant, granting the attacker the ability to read confidential data or gain code execution authority on the host.

Any WordPress site using the ShieldGroup theme up to and including version 2.13 is affected. The vulnerability applies to all installations that have not yet migrated to a later, patched theme release.

The vulnerability carries a CVSS score of 8.1, classifying it as high severity. The EPSS score is reported as less than 1 %, indicating a very low but non‑zero likelihood of current exploitation in the wild, and the flaw is not listed in CISA’s KEV catalog. Attackers would need to manipulate the include path via user input—likely through a crafted request—so the vector is inferred to be local server exposure rather than a straightforward remote invocation. While exploitation confidence is currently low, the potential damage warrants prompt action.