Impact
The vulnerability in the Formality WordPress plugin stems from improper validation of filenames used in PHP include/require statements, enabling Local File Inclusion. An attacker that can influence the include path can read any file on the server that the web server process can access, and in some circumstances may execute arbitrary PHP code. This weakness is classified as CWE‑98, indicating insufficient sanitization of include paths.
Affected Systems
The issue affects all releases of the Formality plugin by Michele Giorgi that are version 1.5.9 or earlier.
Risk and Exploitability
With a CVSS score of 8.1 the vulnerability is considered high severity. The EPSS score of 2% indicates a low probability of widespread exploitation at this time, and the vulnerability is not listed in CISA KEV. The likely attack vector is an attacker submitting a crafted request that the plugin processes to build the include path, such as a malicious query string or form field. Because the flaw allows inclusion of arbitrary local files, an attacker can read confidential data or execute code if the included file contains PHP code and the server interprets it.
OpenCVE Enrichment
EUVD