AncoraThemes Quantum theme suffers from an Improper Control of Filename for Include/Require Statement flaw, classified as a Local File Inclusion vulnerability (CWE‑98). This weakness allows an attacker to influence the file path used by PHP’s include/require functions, which can lead to reading sensitive system files or executing arbitrary code if the attacker can trigger the inclusion of a crafted file. The vulnerability can therefore expose confidential data or compromise the entire WordPress installation when exploited. The description indicates a potential for remote code execution, as the inclusion can execute code present in the targeted files.

WordPress sites using any version of the Quantum theme from its very first release up to and including 1.0 are affected. The product is AncoraThemes Quantum; no lower version boundary is specified, hence all installed versions older than 1.1 are vulnerable.

The CVSS score of 8.1 classifies this issue as high severity, while the EPSS score of less than 1% indicates a low probability of widespread exploitation at this time. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers are likely to exploit this flaw remotely through crafted web requests that manipulate the file path parameter used by the theme’s code. Successful exploitation would require the attacker to send the request to a target WordPress site that still hosts the vulnerable theme. No specific authentication or privilege escalation requirements are mentioned, suggesting that even unauthenticated users could attempt the attack.