The vulnerability arises from an unsanitized filename used in a PHP include or require statement within the AncoraThemes ChildHope theme. This flaw enables a local file to be included without proper validation, potentially exposing sensitive files. Based on the description, it is inferred that such an action could allow unintended PHP code execution. The weakness is classified as a Local File Inclusion, aligning with CWE‑98. The primary result is that an attacker can read internal files or execute unintended scripts on the web server, compromising confidentiality and potentially the integrity of the website’s data.

Any WordPress installation using the AncoraThemes ChildHope theme version 1.1.8 or earlier is vulnerable. These versions can be present on any site that has not yet upgraded the theme beyond the specified threshold.

The CVSS score of 8.1 indicates a high severity issue. An EPSS score of <1% suggests that, at the time of assessment, the probability of real‑world exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector involves sending a crafted request that manipulates the filename parameter used in the theme’s include/require chain, possibly via a URL parameter or form input. Successful exploitation would enable reading of privileged files such as wp‑config.php, and it is inferred that exploitation could also permit malicious code execution if the attacker can influence the path handling logic.