An improper limitation of pathname to a restricted directory in WP Ultimate Exporter allows attackers to perform absolute path traversal. This can let an attacker read any file on the webserver that the web process can access, exposing configuration files, credentials or other sensitive data. The vulnerability is associated with CWE-22.

Smackcoders Inc.’s WP Ultimate Exporter plugin versions up to and including 2.9 are affected. The affected range is all builds from the earliest released version through 2.9. No specific version boundaries were supplied, and versions beyond 2.9 are assumed to be unaffected.

The CVSS score of 4.9 classifies the flaw as medium severity, and the EPSS score of less than 1% indicates a low probability of exploitation at present. Because the flaw permits arbitrary file reads via a path traversal that the plugin does not constrain to a safe directory, it can be inferred that an attacker who can trigger the export functionality—assuming the export endpoint is reachable by users—can craft a request that includes traversal sequences (e.g., ../../etc/passwd). This inference is based on typical plugin behavior rather than explicit mention in the description. The attack is remote and does not require local privileges, making it accessible over the network if the export feature is publicly reachable. The flaw is not currently listed in the CISA KEV catalog, suggesting no widespread active exploitation has been observed.