The flaw allows an attacker to delete arbitrary files from a WordPress site by exploiting a path traversal issue in the Aviation Weather from NOAA plugin’s file handling logic. Classified as CWE‑22, the vulnerability carries a CVSS score of 7.7, indicating that it presents a high‑severity risk capable of undermining the integrity of the site and its data. The description does not specify the precise conditions for exploitation, but the core weakness is the ability to reference any pathname relative to the plugin’s working directory, enabling deletion of any file the WordPress process can access.

WordPress installations that include the Aviation Weather from NOAA plugin by machouinard at version 0.7.2 or earlier are affected. No additional WordPress core or PHP version constraints are listed, so the risk applies broadly to any configuration running the vulnerable plugin.

The EPSS score is reported as less than 1 %, suggesting that exploitation is unlikely in the wild, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the high CVSS rating means that if an attacker can reach the deletion functionality—potentially through a publicly exposed endpoint—they could remove critical files or assets, resulting in a denial of service or persistence of malicious content. The absence of an explicit authentication requirement in the description implies that the exploit could be performed by any user who can trigger the vulnerable operation.