Impact
The plugin fails to validate a user‑supplied value before using it to construct a server‑side file inclusion path, permitting authenticated users with subscriber level or higher to include and execute arbitrary local PHP files on the host. This type of flaw, a local file inclusion, can lead to remote code execution.
Affected Systems
The vulnerability affects the Notifications for Forms & WordPress Actions WordPress plugin, versions earlier than 2.6, on any site that has users capable of attaining subscriber‑level access or higher.
Risk and Exploitability
With a CVSS score of 7.5 the flaw is classified as high severity, while an EPSS score below 1% indicates a low probability of zero‑day exploitation at present. The flaw is not listed in CISA KEV, but the presence of an authentication requirement means that compromised credentials could be leveraged for code execution once the server is accessed.
OpenCVE Enrichment