The vulnerability arises from insufficient validation of filenames used in PHP include/require statements, allowing an attacker to craft a path that references arbitrary files on the web server. This can lead to disclosure of sensitive configuration or code files and may facilitate execution of local code if the attacker can place malicious files in the includable paths. The weakness is classified as CWE‑98 and poses a significant breach of confidentiality and potential integrity of the site. The impact is local file inclusion rather than remote code execution, but the exposed files may contain critical information for further attacks.

WordPress installations that use the immonex Kickstart plugin versions up to and including 1.11.6 are affected. All sites running those versions share the same code path that is vulnerable. No other components are reported as impacted.

The CVSS base score of 7.5 indicates high severity, although the EPSS score is less than 1% suggesting a low probability of exploitation at the current time. The issue is not listed in CISA’s KEV catalog. An attacker would need to supply a crafted filename parameter, which may be possible through legitimate plugin input fields or uploaded files. Successful exploitation would allow reading of local files; depending on the file types accessed, this could enable further compromise. Based on the description, the likely attack vector involves a local file path manipulation via user-controlled input, potentially bypassing file upload restrictions if the plugin does not validate the path.