Improper Control of Filename for Include/Require Statement in PHP (CWE-98) allows a local file inclusion in the WordPress plugin "Coming Soon, Maintenance Mode". An attacker could supply a crafted input that causes the plugin to include an arbitrary local file, potentially exposing sensitive files or giving the attacker a foothold to execute arbitrary PHP code. The vulnerability is limited to the plugin’s include mechanism and does not directly grant remote code execution unless the attacker can place malicious content in an included file.

The vulnerability affects all installations of the "Coming Soon, Maintenance Mode" plugin by Mobeen Abdullah from the earliest release through version 1.1.1. Any WordPress site running an affected version is potentially exposed, regardless of site configuration or user role.

The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at this moment. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the most probable attack vector is a web‑based request that triggers the include statement, although the exact triggering mechanism is not explicitly detailed in the advisory. Because it is a local file inclusion, the attacker would need a way to influence file selection, such as via a query parameter or form input, and would likely exploit this by accessing the plugin’s interface or crafting a URL that manipulates the filename.