The WP Abstracts plugin contains an improper control of filename used in a PHP include/require statement, which is a Classic Example of CWE‑98’s Local File Inclusion. An attacker can supply arbitrary paths that the server will read and execute, potentially exposing sensitive files on the webroot or even executing injected PHP code. The vulnerability can lead to data disclosure or remote code execution if the included file contains executable code, compromising the entire WordPress site’s confidentiality, integrity, or availability.

Any installation of the WP Abstracts plugin from the original release up to and including version 2.7.4 is affected. The plugin is developed and distributed by Kevon Adonis. The issue applies to all WordPress sites running the specified versions of the plugin, regardless of theme or other plugins.

The CVSS score of 7.5 indicates a high severity rating. The EPSS score of less than 1% suggests a very low likelihood of exploitation at this time, but it is not zero and can change as the vulnerability is discovered by attackers. The vulnerability is not listed in CISA KEV, meaning no known widespread exploitation yet. Based on the description, the attack vector is local file inclusion via a crafted web request that abuses the plugin’s filename handling. No privilege escalation or authentication requirement is explicitly mentioned, implying that an unauthenticated web user could exploit the flaw by manipulating request parameters that influence the include path.