The vulnerability is an improper control of filename for include/require in the PHP code of the Ach Invoice App plugin, enabling a local file inclusion flaw. Attackers can supply crafted input that causes the plugin to include arbitrary files from the server’s filesystem, potentially enabling the reading of sensitive configuration files or the execution of malicious PHP code if a controlled file is included as code. This can lead to confidentiality, integrity, and availability impacts depending on the included content.

The flaw affects all installations of the Service Shogun Ach Invoice App plugin for WordPress that are version 1.0.1 or earlier. No patch version was specified in the advisory, so any newer release beyond 1.0.1 should be checked for remediation.

The CVSS score of 7.5 indicates a high severity. The EPSS score of 1% shows that the exploitation probability is moderate but non‑zero. The vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is via the web interface, where an attacker supplies a malicious URL or form input that influences the filename in the include statement. The requirement for attacker interaction is minimal; an unauthenticated attacker can trigger the flaw if the vulnerable endpoint is publicly accessible.