The vulnerability resides in the Real Time Validation for Gravity Forms plugin for WordPress and stems from improper control of a filename used in a PHP include/require statement. Because the plugin accepts user-supplied data for the filename, an attacker may force the inclusion of arbitrary local files, exposing sensitive configuration files, application code, or other data. This flaw corresponds to CWE‑98 and can potentially be used as a stepping‑stone toward remote code execution if the attacker manages to include a file that can be executed.

Vulnerable systems include any WordPress installation running the Real Time Validation for Gravity Forms plugin version 1.7.0 or earlier. The plugin is developed by Daman Jeet and is designed to perform real‑time validation for Gravity Forms. No specific sub‑versions beyond the 1.7.0 boundary are affected.

The CVSS score for the vulnerable plugin is 7.5, indicating a high severity. The EPSS score of less than 1 percent reveals that the probability of exploitation in recent months has been low, and the issue is not listed in the CISA KEV catalog. The likely attack vector is through maliciously crafted input in a Gravity Form, which could result in local file inclusion and read‑only disclosure of sensitive files. The exploitation conditions are minimal: the attacker only needs to submit a form with a manipulated filename parameter; no additional privileges or remote code execution are required by the plugin itself.