The vulnerability is an improper control of the filename used in a PHP include/require statement. This flaw allows an attacker to supply a crafted path that can result in Local File Inclusion. Such inclusion can expose sensitive files on the web server and may enable the upload or execution of malicious scripts, thereby compromising the confidentiality and integrity of the WordPress site. The weakness is identified as CWE‑98 and is classified as a moderate‑to‑high severity issue due to its potential effects on the entire WordPress installation.

The affected product is the WordPress Real Estate Manager plugin developed by Rameez Iqbal. All releases from the earliest available version up through version 7.3 contain the flaw; patching or upgrading beyond 7.3 is required to remove the vulnerability.

The CVSS score of 7.5 indicates a high overall risk, while the EPSS score of less than 1% shows that exploitation is currently considered rare. The flaw is not listed in the CISA KEV catalog, so no known exploited instances are reported. The likely attack vector is remote; an adversary can trigger the vulnerability by accessing a URL or form that passes a malicious file path to the plugin. Successful exploitation would give the attacker read access to server files or the ability to upload and run code, potentially leading to full server compromise.