Improper control of the filename supplied to a PHP include/require statement allows a local file inclusion attack in the LCweb PrivateContent—Mail Actions WordPress plugin. The vulnerability enables an attacker to read arbitrary files from the server’s filesystem, potentially exposing configuration files, credentials, or other sensitive data. In the worst case, the read access could be used to pivot to further attacks such as remote code execution or credential theft, compromising the confidentiality and integrity of the affected WordPress installation.

The affected product is the LCweb PrivateContent—Mail Actions plugin for WordPress, versions up to and including 2.3.2. No other vendors or products are listed as affected in the CNA information.

The CVSS score of 7.5 reflects a high severity for this LFI. The EPSS score of less than 1% indicates a very low probability that attackers will exploit it at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local file inclusion through the plugin’s filename handling, which may be triggered by crafted requests that influence the include path. Successful exploitation requires the attacker to be able to influence the filename value used in the include/require call, so authenticated or unauthenticated users with access to the plugin’s endpoints could potentially exploit the flaw.