The vulnerability stems from improper control of filenames used in PHP include/require statements within the Integro theme, permitting an attacker to force the inclusion of arbitrary local files. When exploited, this can expose sensitive configuration files, log files, or enable execution of malicious code on the WordPress site, compromising confidentiality, integrity, and possibly availability. The weakness is classified as CWE‑98, indicating insecure file inclusion with insufficient validation or sanitization.

AncoraThemes Integro theme, versions up to and including 1.8.0, running on WordPress installations where the theme is active. No statements are given about specific WordPress versions, but any site employing these theme versions is vulnerable.

The CVSS score of 8.1 indicates high severity, while the EPSS score of less than 1% suggests low probability of exploitation at the time of this assessment. The vulnerability is not listed in the CISA KEV catalog. Because the flaw involves local file inclusion, an attacker could trigger it via crafted URLs or inputs that influence the include path; thus the likely attack vector is local or remote file inclusion through the web interface. No public exploit is currently documented, but the combination of high impact and the existence of a known solution via theme upgrade means the risk is substantial if the vulnerability remains unpatched.