This vulnerability arises from improper control of the filename used in an include/require statement within the SEOPress for MainWP plugin, enabling a local file inclusion flaw. An attacker who can influence the filename can cause the server to read or execute sensitive local files, potentially leading to PHP code execution or data disclosure. The weakness is identified as a File Inclusion vulnerability (CWE-98).

The affected product is the SEOPress for MainWP plugin, authored by Benjamin Denis. All installations of the plugin from unknown versions up to and including version 1.4 are vulnerable. Any WordPress instance that deploys SEOPress for MainWP version 1.4 or earlier is at risk.

The CVSS score of 7.5 indicates a high severity and the EPSS score of less than 1% suggests a relatively low probability of exploitation observed so far. The vulnerability is not listed in the CISA KEV catalog. An attacker would likely exploit the flaw by triggering the plugin’s include/require path with a crafted filename, possibly via a web request or through the plugin’s administration interface. Proper authentication is required to reach the affected code path, but if the application does not enforce strict permission checks, the local file inclusion could be used to read configuration files or inject malicious code.