The vulnerability is a path traversal flaw present in the AA‑Team Pro Bulk Watermark Plugin for WordPress up through version 2.0. The flaw arises from an improperly sanitized path component that allows an attacker to craft input containing "../..//", which the plugin then passes to file system operations. This enables the attacker to read arbitrary files on the server, potentially exposing sensitive configuration, source code, or user data. The underlying weakness is categorized as CWE‑35.

All installations of the AA‑Team Pro Bulk Watermark Plugin for WordPress with a version of 2.0 or earlier are affected. The CVE notes that the range is from unknown older releases through 2.0, meaning any deployment of the plugin at or below that version is vulnerable.

The CVSS score of 4.3 indicates a moderate severity, while the EPSS score of less than 1% suggests that the likelihood of exploitation is very low at this time. The vulnerability is not listed in the CISA KEV catalog. The plugin operates within the WordPress media handling workflow, so the attack vector is inferred to be remote via authenticated or unauthenticated use of the watermarking feature, depending on the site’s configuration. No exploitation prerequisites beyond the vulnerability’s presence are explicitly stated; however, the attacker would need to supply the crafted input that triggers the path traversal.