The flaw resides in the DeBounce Email Validator plugin for WordPress and is classified as a Local File Inclusion vulnerability. It occurs because the plugin does not properly sanitize the filename supplied to PHP's include/require statements, allowing an attacker to cause the application to read arbitrary files from the local filesystem. The vulnerability can lead to disclosure of sensitive configuration files, application logic, or other data that resides on the server, thereby compromising confidentiality and potentially modifying files if the server’s file permissions allow it. This weakness is identified by CWE-98.

WordPress sites that use the DeBounce Email Validator plugin version 5.7 or older. The affected product is the debounce:DeBounce Email Validator plugin. No specific WordPress core or PHP version is mentioned, but the vulnerability applies to all installations running a vulnerable version of the plugin regardless of other software on the server.

The CVSS score of 7.5 indicates a high severity. The EPSS score is below 1%, suggesting that the likelihood of exploitation is currently low, but the vulnerability is still potentially valuable to attackers. The flaw is not listed in the CISA KEV catalog, so it has not been reported as a known exploited vulnerability yet. Nevertheless, the attack path is straightforward: an attacker who can influence the filename parameter used by the plugin – for example, via crafted URLs or malicious form submissions – can trigger the inclusion of arbitrary files. Based on the description, it is inferred that no authentication or elevated privileges are required, which heightens the risk for unprotected WordPress sites.