The Chronicle WordPress theme contains an improper control of filename in an include/require statement that allows an attacker to include local files through PHP's include functionality. This flaw is identified by CWE-98 and is rated with a CVSS score of 8.1, indicating a high severity level. The vulnerability permits the retrieval of arbitrary files from the server or the execution of arbitrary PHP code that resides locally, potentially exposing sensitive data or enabling further compromise.

All installations of AncoraThemes’ Chronicle – Lifestyle Magazine & Blog WordPress Theme up to and including version 1.0 are affected. The issue is triggered whenever the theme's PHP files are invoked without proper sanitization of the include paths, regardless of user role or authentication state.

The EPSS score for this vulnerability is below 1%, suggesting a low probability of exploitation at present, and it is not included in the CISA Known Exploited Vulnerabilities catalog. Nevertheless, the high CVSS rating indicates that exploitation would have significant consequences if it were to occur. The likely attack vector is a publicly reachable web request that contains a manipulated parameter or URL fragment forcing the theme to include a file chosen by an attacker. No login or special privileges are required, so all visitors to the site are at risk.