An improperly validated include path within the Ekoterra theme’s PHP code permits an attacker to supply arbitrary filename values, enabling local file inclusion. By forcing the theme to include files residing outside the intended directory, an attacker may read sensitive files such as configuration or code, potentially leading to further exploitation or exposure of confidential data. The flaw is a classic CWE‑98 vulnerability and is not limited to remote execution but can serve as a foothold for subsequent attacks.

WordPress installations that have deployed AncoraThemes Ekoterra — NonProfit, Green Energy & Ecology Theme version 1.0.0 or earlier are affected. The flaw resides in the theme’s core files and is triggered when an attacker provides a crafted query parameter that is passed directly to PHP’s include or require statements. Sites running an updated theme or a different theme are not impacted by this issue.

The CVSS base score of 8.1 classifies this as high severity, and while the EPSS score is reported as less than 1 %, indicating low current exploitation probability, the vulnerability remains exploitable if an attacker can craft a request that includes the malicious file path. The attack vector is likely local or remote access to a WordPress page where the theme processes user‑supplied parameters. The vulnerability is not listed in the CISA catalog of known exploited vulnerabilities, suggesting no confirmed widespread exploitation as of now.