The Graphina plugin for WordPress contains a cross‑site request forgery flaw that allows an attacker to submit forged requests on behalf of a logged‑in user. By manipulating the plugin’s request parameters, the attacker can force the server to include files from the local filesystem through PHP's include mechanisms. The vulnerability does not directly grant code execution but can expose sensitive configuration files or other internal data. If the included file is PHP code, there is a potential for remote code execution, but the CVE description does not confirm this outcome.

Graphina versions up to and including 3.0.4, published by Iqonic Design, are affected. Any WordPress installation that has not upgraded beyond 3.0.4 and has the plugin enabled is potentially vulnerable regardless of the underlying operating system or server configuration, as the flaw resides in the plugin code itself.

The CVSS score of 8.1 reflects high severity. The EPSS score of below 1 % indicates a low probability of exploitation today, and the flaw is not listed in the CISA KEV catalog, meaning no publicly documented exploits exist. The likely attack vector requires an authenticated user’s session; the attacker will fabricate a POST or GET request that triggers the inclusion. If local files are read, confidentiality is compromised; if PHP code is executed, integrity and availability could be affected. Administrators should treat this vulnerability as high priority for remediation.