The bug is a Cross‑Site Request Forgery that allows a malicious actor to craft requests that delete arbitrary files on the WordPress site. The vulnerability depends on a path traversal flaw in the Plugin Central plugin, permitting the attacker to target any file path the web server can access. When successfully executed the result is loss of critical files, possibly including configuration, code, or backups. The impact is primarily loss of availability and integrity, with potential for secret data exposure if sensitive files are removed or replaced.

Vladimir Prelovac’s Plugin Central plugin is affected for all releases up to and including version 2.5.1. A site running any of those releases with the plugin activated is at risk. No additional product versions or operating systems are listed.

The CVSS score of 7.4 indicates a high severity, while the EPSS score of less than 1% suggests low current exploit prevalence. The vulnerability is not listed in the CISA KEV catalogue. Inference: the likely attack vector is a CSRF attack that requires a victim who is logged into the WordPress site to be tricked into sending a request to the deletion endpoint. An attacker could send a malicious link or embed an image that triggers the deletion. Because the flaw involves path traversal, the attacker can specify file paths beyond the intended scope, escalating damage.