AncoraThemes Consultor WordPress Theme contains an improper control of filename for include/require statements in its PHP code, creating a local file inclusion vulnerability (CWE‑98). An attacker can trick the application into including and potentially executing arbitrary local files, which may expose sensitive configuration data or allow the execution of malicious code. The flaw directly compromises confidentiality and could lead to integrity violations if attacker‑controlled files are loaded.

The vulnerability is present in AncoraThemes Consultor | Consulting, Accounting & Legal Counsel WordPress Theme versions up to and including 1.2.4. Any installation of the theme identified as Consultor that has not been updated beyond version 1.2.4 is impacted.

Based on the description the likely attack vector is the supply of a crafted input that directs the application to include a local file; this can be triggered via a URL or form parameter. The vulnerability has a high severity with a CVSS score of 8.1 while its EPSS score is below 1%, indicating a low current exploitation likelihood. It is not listed in the CISA KEV catalog. If an attacker can cause the application to execute code from the included file, they may gain elevated privileges or further compromise the site. The main risk lies in unauthorized access to sensitive files and the potential for code execution, which can affect confidentiality, integrity, and availability of the WordPress instance.