The vulnerability arises from an improper validation of the filename used in an include/require statement within the MoveMe theme. Because any user‑provided value can be passed to the include function, an attacker can trick the PHP engine into reading arbitrary files from the server’s filesystem. If the included file contains PHP code, the attacker can effectively execute code in the context of the web application, potentially gaining full control. Even without code execution, the ability to read configuration files, logs, or other sensitive data can lead to information disclosure and privilege escalation.

AncoraThemes MoveMe theme, versions through 1.2.15. Any installation of the theme earlier than or equal to this version is affected. The vulnerability exists across all platforms that run WordPress with the MoveMe theme installed, regardless of the underlying server OS or PHP version, as long as the theme’s include logic is active.

The CVSS score of 8.1 classifies this as high‑severity. The EPSS score of less than 1% suggests a low probability of exploitation in the wild at present, and the vulnerability is not listed in CISA’s KEV catalog. However, the flaw enables local file inclusion, which can be abused remotely if the theme exposes its include functionality through a publicly reachable URL. An attacker who can influence the include path can read local files and potentially execute code, making the risk significant for exposed WordPress installations.