The vulnerability in the Workreap plugin is a Path Traversal flaw (CWE-22) that allows an attacker to delete arbitrary files on the server. By manipulating the file path used by the plugin’s code, an attacker can specify any filesystem location, resulting in the removal of files that may be critical to the website’s operation or confidentiality. The impact is a direct loss of data and potentially service interruption, as important configuration or content files can be permanently deleted.

The affected product is the AmentoTech Workreap (theme's plugin) for WordPress. Versions from the earliest release up through 3.3.5 are impacted, with no specific lower bound stated in the description. Users running any Workreap version 3.3.5 or earlier should verify the installation of the plugin and assess whether it is still in use.

The CVSS score of 7.7 indicates a high severity and the lack of enlightenment on privileges suggests that exploitation could be carried out by an unauthenticated or low-privileged attacker. The EPSS score of less than 1% indicates that, while the flaw is significant, the likelihood of exploitation in the wild is low at this time. The vulnerability is not listed in CISA’s KEV catalog, so there is no evidence of widespread active exploitation. It is inferred that an attacker could trigger the flaw through a crafted request that includes a directory traversal string in a file path parameter, but the exact input vector is not detailed in the advisory.