The vulnerability resides in the showFile function of the Hide My WP Ghost plugin, allowing path traversal. An attacker can supply crafted input to escape the intended directory and read the contents of specific file types on the server. Because the plugin accepts no authentication, any user who can send HTTP requests to the affected endpoint can trigger the read operation. This constitutes an information‑disclosure flaw that could reveal configuration files, credentials, or other sensitive data, thereby compromising confidentiality. The weakness is identified as CWE‑23, a Path Traversal defect that can expose data when untrusted input is used in file operations without proper validation.

All installations of the Hide My WP Ghost security plugin for WordPress up to and including version 5.4.01 are affected. The plugin is used by site owners to hide paths and block attacks; the path traversal flaw is present in every release of the plugin in this version window. If an organization is running a supported WordPress environment with this plugin, it must assess whether the plugin is present and whether the insecure endpoint is reachable.

The CVSS score of 7.5 categorizes this as a high‑severity weakness. The EPSS score of 1% indicates that while the vulnerability is known to be exploitable, the probability of an active exploit is low but non‑negligible. It is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited in the wild. The likely attack path involves an unauthenticated attacker submitting a crafted request to the plugin’s showFile handler, bypassing authentication checks and causing the server to return the requested file contents. Because no privilege escalation is required, any user can achieve this limited read. Organizations should therefore treat this as a serious risk if the plugin remains at an affected version.