The vulnerability is a path traversal flaw that allows a malicious actor to include arbitrary local files through the Morkva UA Shipping plugin’s handling of file paths. An attacker can exploit this to read sensitive configuration files, access application logs, or even execute code if writable files can be targeted. The weakness is categorized as CWE-35, indicating that improper validation of file paths permits directory traversal.

The affected product is the WordPress Morkva UA Shipping plugin, version 1.0.18 and earlier, developed by Ihor Kit. Any installation using these versions of the plugin is susceptible. The vulnerability applies to all WordPress sites that have the plugin active, regardless of the overall WordPress version.

The CVSS score of 8.1 reflects high severity, while the EPSS score of less than 1% indicates a low predicted exploitation probability at present. The issue is not listed in the CISA KEV catalog. The likely attack vector is through the plugin’s exposed PHP endpoints that accept file paths, allowing remote exploitation by an unauthenticated or authenticated user as determined by plugin configuration. Given the nature of the defect, a successful exploit could lead to disclosure of confidential files or arbitrary code execution if writable files are targeted.