An improper sanitization of .txt file paths in the Advanced Database Cleaner PRO WordPress plugin allows path traversal using the form ".../...//". The flaw can enable an attacker to read arbitrary files on the server that match the .txt extension, potentially revealing sensitive configuration data or credentials. The CVSS score of 6.4 indicates a medium severity vulnerability, primarily impacting confidentiality but not directly affecting integrity or availability.

The vulnerability affects the SigmaPlugin Advanced Database Cleaner PRO for WordPress, versions from the earliest available release through 3.2.10.

The EPSS score of < 1% signals that exploitation is currently rare, and the CVSS score of 6.4 confirms a medium severity vulnerability. The likely attack vector involves a user with access to the plugin’s interface or a remote request to the plugin’s endpoint that processes .txt files, allowing an attacker to read arbitrary .txt files on the server and potentially disclose sensitive configuration information. The vulnerability is not listed in the CISA KEV catalog and therefore does not have a known active exploit, but the potential for data exposure warrants timely remediation.