This vulnerability arises from improper control of filenames used in include/require statements within the Solwin Blog Designer PRO plugin. The flaw corresponds to CWE-98, which describes improper control of filename for include/require statements. It allows an authenticated user to specify a local file path, causing the plugin to include that file and potentially expose its contents. Because the flaw is non‑arbitrary, the attacker must first be authenticated within the WordPress system, but once authenticated they can read or possibly execute local files that the authenticated user can access.

The flaw affects the Blog Designer PRO plugin from its earliest release up to and including version 3.4.7. Any WordPress installation that has the plugin installed and has not yet upgraded beyond 3.4.7 is vulnerable. The plugin is developed by Solwin, and the vulnerability is present in all versions in that range.

The CVSS score of 7.5 indicates a high impact if exploited, with an EPSS of less than 1% suggesting the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local, requiring authenticated access to a WordPress account that has permission to use the plugin. Once authenticated, the attacker can read arbitrary local files through the include mechanism, exposing sensitive configuration, credentials or other data stored on the server.