Arraytics WPCafe plugin contains a flaw where the filename parameter for a PHP include/require statement is not properly controlled. This leads to a Local File Inclusion vulnerability that can allow an attacker to read arbitrary files on the web server, such as configuration files, credentials, or system files. If an attacker can inject a PHP file as the included path, the vulnerability may also be leveraged for code execution. The weakness is identified as CWE‑98, representing Improper Control of Filename for Include/Require.

WordPress sites running the Arraytics WPCafe plugin version 2.2.31 or earlier are affected. The vulnerability applies to all deployments of the plugin up to and including version 2.2.31, regardless of other WordPress configuration.

The CVSS score of 7.5 indicates a high severity, while the EPSS score of 1.6% (0.01594) shows a low probability of exploitation at the time of analysis and the issue is not currently listed in the CISA KEV catalog. Exploitation requires the attacker to supply a crafted filename argument, likely through a URL parameter or form submission, and requires that the target environment permits inclusion of local files. The likely attack vector, inferred from the plugin’s handling of a filename parameter for include/require, is manipulation of that parameter. The description does not explicitly state that included PHP files are executed, so the potential for code execution remains uncertain, though LFI can allow reading of arbitrary server files such as configuration or credential information. Overall risk to impacted sites remains high, especially for those exposed to the public Internet.