The Simple Fields WordPress plugin versions 0.2 through 0.3.5 contains a local file inclusion flaw that allows an attacker to supply specially crafted wp_abspath values with null bytes to read arbitrary files. Because the plugin naively passes the parameter to the include() function, a malicious user can read sensitive files such as /etc/passwd and, if the server permits URL inclusion, inject PHP code into web‑server logs for remote code execution. The vulnerability is categorized as CWE‑98 and could compromise confidentiality, integrity, and availability of the affected system.

WordPress sites that have the Simple Fields plugin installed in any of the vulnerable releases (0.2 to 0.3.5) and are running a PHP interpreter older than version 5.3.4 are directly impacted. Sites using later PHP versions are not susceptible to the null‑byte bypass, but the plugin remains vulnerable to the basic LFI if allow_url_include is enabled. Administrators should verify the current plugin version and PHP runtime before assessing risk.

This flaw carries a CVSS score of 6.9, indicating a moderate to high severity risk. The EPSS score is not available, and the vulnerability is not in the CISA KEV catalogue, implying a lower observed exploitation rate. The lack of authentication requirements means any visitor can trouble the system, and the possibility to execute PHP code through log injection makes the threat particularly dangerous in misconfigured hosts. Despite the absence of quantitative exploit data, the potential for arbitrary code execution warrants prompt attention.