The vulnerability arises from an improper limitation of a pathname in the Theme File Duplicator WordPress plugin. The plugin fails to validate or sanitize the file path supplied by a user, allowing the construction of a path that traverses to directories outside the intended scope. An attacker can exploit this path traversal flaw to request and download arbitrary files from the server, such as configuration files, credentials, or other sensitive data, thereby compromising confidentiality.

The issue affects the rockgod100 Theme File Duplicator plugin for WordPress in all releases up to and including version 1.3. No specific sub‑versions are listed beyond the upper bound; the vulnerability is present from the initial release through the latest available pre‑1.4 release.

The CVSS score of 6.5 places the vulnerability in the medium severity range. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers could trigger the flaw via a crafted HTTP request to the plugin’s file download endpoint, provided the target site still hosts the affected plugin. With remote file read capabilities, the potential loss of confidential data or server compromise makes the risk non‑negligible for sites that rely on unsanitized file paths.