The vulnerability arises from improper control of the filename supplied to PHP include/require calls in the Echo theme. A malicious user can supply a user‑controlled path that points to arbitrary files on the server, enabling the execution of arbitrary PHP code or the disclosure of sensitive files. This flaw is a CWE‑98 Local File Inclusion whose impact includes possible remote code execution, data leakage, or integrity compromise if the remote code is executed within the context of the web application.

AncoraThemes Echo theme is affected in all releases up to and including version 1.15.0. The vulnerability applies to WordPress installations that have the Echo theme installed, regardless of the exact major or minor patch level, as the flaw is present in all builds from the earliest release through 1.15.0.

With a CVSS score of 8.1 the flaw is considered high severity, yet the EPSS value of less than 1% indicates that exploitation in the wild is currently rare. The vulnerability is not listed in the CISA KEV catalog, but should still be remedied promptly. The likely attack vector is local file inclusion triggered by an authenticated or unauthenticated user submitting crafted data to the theme’s included PHP code. An attacker who successfully includes a malicious file can execute PHP code on the server, which can lead to full compromise of the web environment.