This vulnerability allows an attacker to insert sensitive information into a file or directory that is publicly accessible. The result is that confidential data—such as credentials or personal information—may be retrieved by an unauthenticated user, exposing the data to the internet. The weakness corresponds to CWE-538, which deals with the unprotected storage of confidential data in a location that can be accessed by an external entity. The problem is not a denial of service or remote code execution, but it does compromise confidentiality and potentially the integrity of stored data.

The issue exists in the Oblak Studio Srbtranslatin WordPress plugin for any version up to and including 3.2.0. Any WordPress installation that has this plugin installed and which serves the affected files directly from the web server is vulnerable. Users of versions labeled 3.2.0 or older—and any version that has not yet been addressed with the official update—are at risk.

The CVSS score of 5.8 indicates a moderate severity. The EPSS score of less than 1% suggests that, as of this analysis, the probability of exploitation in the wild is very low. Because the flaw relies on the plugin placing sensitive data in an externally reachable location, an attacker would need only to locate the exposed file via the web root, which is possible without elevated privileges. The vulnerability is not reported in the CISA KEV catalog and there is no known public exploit at this time, but the potential for accidental data leakage remains.