Trusty Plugins Shop Products Filter is vulnerable to a Path Traversal flaw that allows PHP Local File Inclusion. The flaw permits an attacker to supply a specially crafted file path that can resolve outside the intended directory, permitting the inclusion of any accessible file on the server. If an attacker can include configuration files or code, they may disclose sensitive information or trigger remote code execution. The weakness is cataloged as CWE‑35.

The vulnerability affects the Trusty Plugins Shop Products Filter plugin for WordPress, specifically any installation of version 1.2 or earlier. Any website that has this plugin deployed without a recent upgrade is potentially impacted, regardless of the site’s overall WordPress version. No specific server OS or PHP version is listed as a requirement in the advisory.

The CVSS score of 7.5 indicates a high severity of the flaw. The EPSS score of less than 1% shows a very low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through a web interface that accepts user-controlled input; the vulnerability is inferred to be exploitable by an unauthenticated attacker who can issue crafted requests to the plugin’s endpoint. While no remote code execution is formally documented, the ability to include arbitrary files means this risk exists if sensitive files are readable or if code files can be injected.