This vulnerability is a Path Traversal flaw that lets an attacker supply a crafted pathname to read any file on the server through the WordPress VideoWhisper Live Streaming Integration plugin. The flaw is classified as CWE‑22, indicating that the application fails to properly restrict file paths to a safe directory, leading to potential disclosure of sensitive configuration files, passwords, or other confidential data. An attacker could use the plugin’s download endpoint to fetch arbitrary files, compromising the confidentiality but not directly the integrity or availability of the system.

The affected product is the WordPress VideoWhisper Live Streaming Integration plugin, known to vendors as videowhisper Broadcast Live Video. All releases up to and including version 6.2 are impacted; any WordPress site running those versions exposes the path traversal vulnerability.

The CVSS score of 7.5 indicates a high risk severity. The EPSS score is under 1 %, suggesting that widespread exploitation is currently low but the vulnerability still exists and could be used for targeted attacks. The flaw is not listed in the CISA KEV catalog, so no confirmed exploitation is publicly documented. The most likely attack vector is remote, via crafted HTTP requests to the plugin’s file‑download endpoint, requiring no privileged local access. If an attacker gains network access to the WordPress site, they can exploit this flaw to retrieve arbitrary files from the server’s filesystem.