The vulnerability described as a Path Traversal issue allows an attacker to include local files through unsanitized file paths within the Leyka plugin. This is a classic Local File Inclusion flaw, classed as CWE-35. If an attacker can control the path used in the inclusion, they may read sensitive configuration files or log data, and in the worst case execute code if the included file contains executable code. Reports indicate the vulnerability can be triggered via URL parameters that construct the include path, giving a remote attacker a potential gateway to compromise data confidentiality and integrity. The exploit does not require privileged access on the server; it relies on the plugin’s insecure handling of user-supplied paths.

The flaw affects all installations of the VaultDweller Leyka WordPress plugin with versions up through 3.32.1. Users of this plugin should verify their installed version and take action if they are operating a vulnerable release.

The CVSS score of 7.5 classifies the issue as high severity, and while the EPSS score is below 1% suggesting a low probability of exploitation, the vulnerability is not catalogued in CISA KEV. The attack vector is inferred to be remote, achievable through crafted HTTP requests to the plugin’s endpoints. Successful exploitation would allow an attacker to read arbitrary local files, potentially revealing credentials or enabling remote code execution if the included file is executable.