Arraytics WPCafe plugin contains a flaw where the filename parameter for a PHP include/require statement is not properly controlled. This leads to a Local File Inclusion vulnerability that can allow an attacker to read arbitrary files on the web server, such as configuration files, credentials, or system files. If an attacker can inject a PHP file as the included path, the vulnerability may also be leveraged for code execution. The weakness is identified as CWE‑98, representing Improper Control of Filename for Include/Require.

WordPress sites running the Arraytics WPCafe plugin version 2.2.31 or earlier are affected. The vulnerability applies to all deployments of the plugin up to and including version 2.2.31, regardless of other WordPress configuration.

The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1% shows a low probability of exploitation at the time of analysis and the issue is not currently listed in the CISA KEV catalog. Exploitation requires the attacker to supply a crafted filename argument, likely through a URL parameter or form submission, and requires that the target environment permits inclusion of local files. Given the high confidentiality and integrity impact and the ability to potentially execute remote code via local files, the overall risk to impacted sites remains high, especially for those exposed to the public Internet.