The vulnerability is an improper limitation of a pathname to a restricted directory, known as Path Traversal (CWE-22), in the Piotnet Forms plugin for WordPress. This flaw allows an attacker to manipulate file paths used by the plugin, potentially enabling the reading or inclusion of arbitrary files outside the intended directory scope. While the description does not specify the ability to execute uploaded code, the possibility of exposing sensitive configuration or credential files presents a risk to confidentiality and could be leveraged to gain further footholds if such files contain credentials.

Affected by the vulnerability are installations of the Piotnet Forms plugin from version n/a through 1.0.30. The plugin is developed by piotnetdotcom and is available for WordPress sites. The version range indicates all releases up to and including 1.0.30 suffer from the issue, regardless of the surrounding WordPress version.

The CVSS score of 2.7 reflects a low severity assessment, and the EPSS score of less than 1% indicates a rare likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attack vectors are not explicitly detailed in the description, so the attack path is inferred to be local or through unauthenticated file access. A system with exposed file permissions or an attacker with the ability to submit file paths to the plugin would be required to exploit the flaw. Because the flaw only permits file access and no attacker‑controlled code execution is documented, the immediate risk is limited to information disclosure or potential credential leakage.