The vulnerability resides in the inclusion logic of AncoraThemes Pathfinder, where file names supplied to include/require statements are not properly validated. This flaw, classified as CWE‑98, permits an attacker to craft a request that causes the PHP interpreter to include any file present on the web server, potentially exposing confidential configuration files or enabling the execution of malicious code if arbitrary PHP files are included. Successful exploitation would compromise the confidentiality, integrity, or availability of the website and the underlying server environment.

AncoraThemes Pathfinder theme for WordPress versions up through 1.16 are affected. The flaw exists in every release prior to and including 1.16 and is not present in any later versions.

The CVSS score of 8.1 places this defect in the high severity range, while the EPSS score of less than 1% indicates a currently low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through a web request that an unauthenticated or authenticated user can influence, allowing them to reference arbitrary paths on the server.