The vulnerability allows a Local File Inclusion (LFI) attack by exploiting improper control of the filename used in a PHP include/require statement within the Kings & Queens theme. This weakness, classified as CWE‑98, enables an attacker to read arbitrary files on the web server. The potential impact includes disclosure of sensitive server files and configuration data. While the description does not explicitly mention code execution, if an attacker can supply a malicious PHP file, LFI could lead to execution of that code; this is an inferred possibility.

This issue affects the AncoraThemes Kings & Queens WordPress theme in all releases from the earliest version through 1.1.16. Any site using a version of the theme in this range could be impacted; newer releases are presumed untainted.

The CVSS score of 8.1 indicates high severity, while the EPSS score of less than 1 % indicates a low likelihood of exploitation. It is not listed in the CISA KEV catalog. The likely attack vector is local via a URL parameter or administrative endpoint that triggers the include. Exploitation would rely on file permissions and the presence of a writable local file; the description does not confirm that arbitrary PHP execution is possible, so this remains an inferred risk.