A flaw in AncoraThemes Crown Art allows a site visitor to influence the filename that the PHP code later includes or requires. The theme lacks proper validation on the file path, meaning the attacker can specify an arbitrary path to a file that exists on the server. This can enable the attacker to read sensitive files or, if the attacker can place a PHP–code containing file in a writable location, to execute that code on the server. Based on the description, it is inferred that the vulnerability could be leveraged to compromise site confidentiality or even achieve remote code execution if the attacker can provide a writable directory.

The vulnerability exists in all WordPress installations that have installed the Crown Art theme at version 1.2.11 or earlier. Any site that has not upgraded beyond 1.2.11 remains exposed.

The CVSS v3 score of 8.1 classifies it as a high‑severity flaw. The EPSS score of < 1% indicates a low likelihood of public exploitation at this time, and the exposure is not listed in the CISA KEV catalog. The likely attack vector is manipulating the filename parameter used by the theme’s include/require call; exploitation requires the attacker to have write access to, or the ability to point to, a file within the theme directory, or to read a sensitive file from that location. When the attacker controls a writable location or can read a critical file, they may read secrets or escape to inject and run PHP code.