The vulnerability lies in the way the connector retrieves the client's IP address. It trusts any HTTP header value, allowing an attacker to supply a forged IP. Because the code then exposes the result of phpinfo() at the API endpoint, an unauthenticated user can trigger a request that returns the full server configuration, including environment variables, loaded modules, and database credentials if present. This is a direct information‑disclosure flaw classified as CWE‑200.

All releases of the BigBuy Dropshipping Connector for WooCommerce up to and including 2.0.5 are affected. Users running this plugin on any WordPress installation – regardless of host, theme or additional plugins – are susceptible if the default configuration remains unchanged. The flaw is triggered through the plugin's API controller, which is accessible to all visitors unless explicitly restricted.

The CVSS base score is 5.3, indicating a moderate severity. The EPSS is below 1 %, so the likelihood of exploitation in the wild is currently considered low, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, because the attack does not require authentication and the target endpoint is exposed to any user, a directed attacker can repeatedly request phpinfo() to harvest sensitive data. The primary vector is HTTP requests with crafted X‑Forwarded‑For or similar headers sent to the connector’s API URL.