This vulnerability is a CWE‑98 Local File Inclusion flaw caused by improper control of the filename used in PHP include/require statements. An attacker who can influence the file path supplied to the ChatBot plugin can cause the server to read arbitrary local files, exposing configuration data or credentials. Although the flaw does not directly allow execution of code, the ability to read sensitive files may help an attacker plan a subsequent attack.

The flaw affects QuantumCloud’s ChatBot plugin for WordPress. All releases of the plugin with version numbers up through 6.3.5 are vulnerable, as the issue was present from the earliest version (“n/a”) through 6.3.5. No later releases are known to be impacted.

With a CVSS score of 7.5 and an EPSS score of less than 1%, the likelihood that this flaw will be actively exploited is low. The plugin likely requires an unauthenticated or low‑privilege request that triggers an include/require with a user‑supplied path; based on the description, it is inferred that the attack vector involves manipulating a file path parameter in a request to the plugin’s endpoint. Because the flaw does not enable remote code execution, the primary risk is leaking sensitive local files, but the overall impact remains moderate, and the vulnerability is not listed in the CISA KEV catalog.