This vulnerability in AncoraThemes Hanani arises from improper validation of filenames used in PHP include or require statements, enabling Local File Inclusion (LFI). LFI vulnerabilities allow attackers to include files on the server, potentially exposing sensitive information or enabling code execution. The affected versions are up to and including 1.2.11. The CVSS 3.1 vector indicates network attack vector, high attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.

Successful exploitation can lead to disclosure of sensitive files, modification of application behavior, and potentially full system compromise due to the ability to include arbitrary local files. The high CVSS score reflects the critical nature of these impacts. However, no known active exploits have been reported to date.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting access to vulnerable versions and applying any recommended configuration changes to limit file inclusion risks. Monitoring vendor channels for updates is advised.