The vulnerability is an improper limitation of a pathname to a restricted directory, allowing path traversal on the WordPress Include URL plugin. This flaw lets an attacker download any file the web server can read, potentially revealing sensitive data or code. It represents a CWE‑22 weakness and results in an information disclosure risk. The damage is limited to the ability to read files; it does not grant immediate code execution or remote shell access, but the stolen data could enable further attacks.

The word‑press plugin Include URL from the vendor samsk is affected for all releases from the initial release up to and including version 0.3.5. Users running these or older unpublished builds should consider updating or disabling the plugin.

The CVSS score of 6.5 indicates moderate severity. The EPSS score is less than 1 %, suggesting a low probability of exploitation, and it is not listed in CISA’s KEV catalog. The likely attack path requires web access to the plugin’s download endpoint; the description does not state if authentication is required, so the vector is inferred to be local to the web server or possibly remote via a browser. Because the flaw permits arbitrary file reads, it poses a real risk to confidentiality, especially for sites storing private configuration or content on the same server.