The vulnerability arises from improper validation of filenames passed to PHP include/require statements within the WhatsApp Click to Chat Plugin. An attacker could supply a crafted path that causes the plugin to read arbitrary files from the server, potentially exposing sensitive configuration files, credentials, or other confidential data. The weakness corresponds to CWE‑98 and carries a CVSS score of 7.5, indicating a high severity for confidentiality and integrity if exploited.

WordPress sites using the Indie Plugins WhatsApp Click to Chat Plugin for WordPress, with any version up to and including 2.2.12. This includes deployments where the plugin is installed via the default WordPress plugin directory or a custom location, but the vulnerability specifically applies to the plugin’s source code that handles file inclusion.

The EPSS score is reported as less than 1 %, suggesting the probability of exploitation is very low as of now, and the vulnerability is not yet listed in the CISA KEV catalog. Nonetheless, local file inclusion can still be abused by an attacker who gains permission to trigger the plugin's file inclusion logic—such as an administrator, a compromised user account, or through cross‑site scripting that injects malicious query parameters—thereby enabling unauthorized information disclosure. The attack vector is inferred to involve manipulated plugin input parameters, given the nature of the flaw, but explicit remote execution is not documented in the provided description.