The AncoraThemes Jack Well theme for WordPress versions up to 1.0.14 contains a vulnerability classified as CVE-2025-49365. This vulnerability arises from improper validation or control of filenames used in PHP include or require statements, enabling PHP Local File Inclusion. Exploiting this flaw could allow an unauthenticated remote attacker to include local files on the server, leading to high impact on confidentiality, integrity, and availability. The CVSS v3.1 base score is 8.1, reflecting network attack vector, high complexity, no privileges required, no user interaction, and high impact on all three security properties. There is no vendor advisory or patch information available at this time.

Successful exploitation of this vulnerability can lead to arbitrary local file inclusion on the affected server, potentially allowing attackers to read sensitive files, execute arbitrary code, and fully compromise the system's confidentiality, integrity, and availability. The CVSS score of 8.1 indicates a high impact. No known exploits in the wild have been reported so far.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the affected theme version and avoid exposing the vulnerable application to untrusted networks. Monitor official AncoraThemes channels for updates and apply patches promptly once available.