Based on the description, it is inferred that improper control of the filename used in an include/require statement in the dzeriho Improved Sale Badges – Free Version plugin enables PHP Local File Inclusion. An attacker can supply a crafted path to cause the plugin to read and execute arbitrary files on the webserver, which may result in disclosure of sensitive information, modification of site content, or execution of malicious code, thereby compromising confidentiality, integrity, and availability of the WordPress site.

The vulnerability affects the WordPress plugin Improved Sale Badges – Free Version from the initial release up to and including version 1.0.1. Any WordPress site that has this plugin installed and has not upgraded past version 1.0.1 is potentially impacted.

Based on the description, it is inferred that the attack vector is a local server path disclosure or manipulation of the include arguments. The CVSS score is 8.1, indicating a high severity. The EPSS score of 1.6% shows a moderate probability of exploitation. The issue is not listed in CISA KEV, but it remains a significant risk for sites that are publicly reachable and are using the affected plugin. Exploitation is likely to occur via a local server path disclosure or manipulation of the include arguments, enabling the attacker to read sensitive files or execute code.