The vulnerability is a Path Traversal flaw that permits PHP Local File Inclusion. An attacker can supply a crafted path that bypasses the restricted directory check and gain read or execution access to arbitrary local files. This can lead to the disclosure of sensitive information or remote code execution if the included file contains executable PHP code. The weakness is formally classified as CWE‑22, making it a high‑risk issue for the WordPress WooCommerce Pickupp plugin.

The flaw affects the WooCommerce Pickupp plugin for WordPress versions up to and including 2.4.3. All installations running these versions are susceptible; no specific sub‑versions are listed, so any release within this range is considered impacted.

The CVSS score of 8.1 places this vulnerability in the high severity range. The EPSS of less than 1% suggests a low probability of immediate exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the most likely attack vector is a web‑based request that specifies an out‑of‑bounds file path, making the flaw exploitable by individuals with web access to the affected site. The lack of additional context means the attack requires the ability to send crafted requests to the plugin’s endpoints, but does not indicate a need for privileged credentials or a prerequisite compromise.