The Vulnerability is caused by the Tourmaster plugin’s failure to validate filenames supplied to its PHP include or require statements, which permits an attacker to include arbitrary files located on the web server’s filesystem. This flaw exposes the site to the disclosure of sensitive configuration data, credentials, or the execution of malicious code, especially if a writable file is targeted. The weakness carries a CVSS score of 8.1, classifying it as a high‑severity flaw.

Any WordPress installation that has the GoodLayers Tourmaster plugin installed at version 5.3.8 or earlier is impacted. This includes every release from the earliest available version up through 5.3.8. Site administrators should verify the current plugin version and determine if an upgrade is required.

Although the EPSS score for this vulnerability is below 1 %, indicating a low likelihood of current exploitation, the flaw remains serious because it grants unrestricted file inclusion. It is not listed in the CISA KEV catalog. The attack vector is inferred to be a crafted HTTP request that feeds a malicious filename into the plugin’s inclusion mechanism, allowing a remote or locally authenticated attacker to access any file on the server. Because the exploitation probability is low but the potential impact is high, administrators should prioritize applying the vendor’s fix or removing the plugin as soon as possible.