This vulnerability is caused by improper validation of filenames passed to PHP include or require statements in the AncoraThemes Modern Housewife theme. This flaw permits an attacker to form a request that causes the application to include a local file. This can lead to the disclosure of sensitive files such as configuration files or credentials, and if the included file contains executable PHP code, it could facilitate further compromise. This issue maps to CWE‑98, indicating improper control of filenames for include/require statements. Based on the description, it is inferred that no authentication is required to trigger the flaw and that the attacker can craft a malicious request over the network to exploit it.

WordPress sites that use the Modern Housewife theme from AncoraThemes, specifically all versions up to and including 1.0.12. Any installation using one of these versions is potentially vulnerable. Based on the description, it is inferred that the vulnerability does not depend on specific server configuration beyond the theme's inclusion logic.

The CVSS score of 8.1 indicates high severity, affecting confidentiality and integrity. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to craft a malicious request that triggers the vulnerable include; while the flaw does not guarantee remote code execution, the ability to read arbitrary local files presents a significant risk. Based on the description, it is inferred that attackers can exploit this flaw remotely via a crafted HTTP request over the network, without requiring authentication.