The vulnerability originates from an uncontrolled filename in a PHP include/require statement within the AncoraThemes ElectroServ theme. Based on the description, it is inferred that user input is not sanitized, allowing an attacker to supply a path that resolves to arbitrary files on the server. This local file inclusion can expose sensitive configuration files or enable the execution of arbitrary code if the attacker can place a PHP file in an accessible location. The flaw is classified as CWE‑98 and carries a CVSS score of 8.1, indicating a high level of severity.

The issue affects every release of the ElectroServ theme up to and including version 1.3.2, which are delivered to WordPress sites by AncoraThemes. Any site that has installed these versions, or that has not removed the vulnerable code path, is potentially compromised. Upgrading to a newer revision that addresses the insecure include logic or switching to a secure alternative is necessary to mitigate the risk.

With a CVSS score of 8.1, the flaw is considered high severity, yet the current EPSS score of less than 1% suggests that exploitation is not widespread as of now. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, indicating no publicly reported active exploits. However, the local nature of the inclusion means that an attacker who can influence the input parameter—likely through a crafted HTTP request that controls the include filename—could trigger the flaw. Therefore, sites must assess how external input can reach the vulnerable parameter and consider the threat of local file inclusion.