An attacker can exploit the Easy Pricing Table WP plugin by influencing the file name used in PHP include/require statements. The plugin accepts user-supplied input that is directly interpolated into the include path, leading to a PHP Local File Inclusion weakness (CWE‑98). This flaw allows the attacker to read arbitrary files on the server, and if the included file is a PHP script it could lead to code execution, compromising confidentiality, integrity, and possibly availability of the WordPress installation.

The vulnerability exists in the Easy Pricing Table WP plugin from Pluginwale, affecting all releases up to and including version 1.1.3. WordPress sites that have installed and activated this plugin are therefore impacted. Because the affected code path is part of the plugin’s core functionality, any site that uses the plugin without patching is vulnerable.

The CVSS score of 7.5 indicates a high impact vulnerability. The EPSS score of less than 1% suggests that, at least at the time of scoring, the likelihood of exploitation in the wild is low, and the vulnerability is not currently listed in the CISA KEV catalog. The attack vector is local to the web application – an attacker would need to supply a crafted request that triggers the insecure include, typically via a public-facing URL or form that the plugin exposes. While a public exploit is not documented, the ability to read sensitive files or execute code means that the risk to a site running the affected plugin remains significant.