The vulnerability is an improper control of filenames used in include/require statements, allowing a WordPress site that uses RadiusTheme's Testimonial Slider And Showcase Pro plugin to include arbitrary local files. This can lead to the disclosure of sensitive configuration files, system information, or potentially the execution of PHP code, depending on the contents of the included files. The weakness corresponds to CWE-98 (Improper Control of Filename for Include/Require Statement). The documented severity is a CVSS score of 7.5, indicating a high impact if successfully exploited.

WordPress sites running RadiusTheme Testimonial Slider And Showcase Pro plugin version 2.1.7 or earlier are affected. All prior releases are also vulnerable.

The risk is moderate to high owing to the CVSS score of 7.5, but the EPSS score of < 1% suggests a low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could trigger the flaw by accessing a crafted URL or manipulating a parameter that the plugin passes to include/require, potentially without authentication if the plugin does not restrict access. The exact attack vector and authentication requirements are not detailed in the provided data, so site administrators should assume that the flaw could be exploited by unauthenticated or low-privilege users until a patch is applied.