The vulnerability in the WordPress WP01 plugin is a classic Path Traversal flaw that permits an attacker to craft input for the plugin’s file download function and retrieve any file on the server’s filesystem that the web server is permitted to read. This flaw is formally classified as CWE‑22, indicating improper limitation of a pathname to a restricted directory. The attacker can therefore read configuration files, credentials, or other sensitive assets that are not intended to be publicly accessible, making the primary risk an arbitrary disclosure of files.

The flaw affects installations of the WP01 WordPress plugin with version 2.6.2 or earlier. The affected product is identified simply as "WP01 WP01 plugin" and no later release appears to be impacted by this issue.

The CVSS score of 7.5 indicates a high severity vulnerability. The EPSS score of 44% suggests a relatively high probability of exploitation in the near future. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is a remote URL-based request sent to the plugin’s file download endpoint, possibly from a publicly exposed WordPress site. Successful exploitation requires the attacker to know or guess the target file path; once a path is supplied that traverses outside the intended directory, the attacker receives the file contents in the plugin’s response.