AncoraThemes MaxCube, a WordPress theme, contains an improper control of the filename used in PHP include/require statements. This flaw permits local file inclusion, allowing an attacker to load arbitrary files from the server. The vulnerability can lead to reading sensitive information or, if exploit conditions permit, executing malicious code. The weakness corresponds to CWE‑98, indicating a failure to validate user‑supplied file names correctly.

The affected product is the MaxCube theme developed by AncoraThemes. All releases up to and including version 1.3.1 are vulnerable. No version before the theme’s inception is listed, so any instance running 1.3.1 or earlier could be impacted.

The CVSS score of 8.1 indicates high severity. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the vulnerability is not referenced in CISA’s KEV catalog. The attack vector most likely involves manipulating a path used by the theme’s PHP include logic—such as by tampering with a URL parameter or form input—but the description does not detail the exact trigger, so this inference is based on typical LFI exploitation patterns. Because the flaw allows reading or executing files locally, it poses a significant confidentiality and integrity risk if exploited.