Impact
Based on the description, it is inferred that improper control of the filename used in an include/require statement in the dzeriho Improved Sale Badges – Free Version plugin enables PHP Local File Inclusion. An attacker can supply a crafted path to cause the plugin to read and execute arbitrary files on the webserver, which may result in disclosure of sensitive information, modification of site content, or execution of malicious code, thereby compromising confidentiality, integrity, and availability of the WordPress site. This constitutes a CWE-98 weakness involving improper control of filenames for include/require statements.
Affected Systems
The vulnerability affects the WordPress plugin Improved Sale Badges – Free Version from the initial release up to and including version 1.0.1. Any WordPress site that has this plugin installed and has not upgraded past version 1.0.1 is potentially impacted.
Risk and Exploitability
Based on the description, it is inferred that the attack vector is a local server path disclosure or manipulation of the include arguments. The CVSS score is 8.1, indicating a high severity. The EPSS score of <1% indicates a low probability of exploitation. The issue is not listed in CISA KEV, but it remains a potential risk for sites that are publicly reachable and are using the affected plugin. The exploit could enable an attacker to read sensitive files or execute code by leveraging the vulnerability.
OpenCVE Enrichment
EUVD