The vulnerability originates from an improper validation of filenames in include/require statements within the Processby Anchor smooth scroll WordPress plugin. This flaw allows a malicious actor to manipulate the file path used by PHP’s include mechanism and access arbitrary files on the server’s filesystem, potentially exposing sensitive data or facilitating further exploitation. The weakness is a classic local file inclusion vulnerability described by CWE‑98. Because it can be triggered via user input within the plugin, an attacker could read arbitrary files, including configuration files, credentials, or other critical assets, leading to confidentiality compromise and enabling additional attacks such as code execution or privilege escalation when the included files contain executable code.

The affected product is the WordPress plugin Anchor smooth scroll developed by Processby. Versions from the initial release through 1.0.2 are vulnerable. No specific patch version is listed, but the vulnerability is reported for all releases of the plugin up to and including 1.0.2.

The CVSS score of 8.1 classifies this issue as high severity. The EPSS score being less than 1 % indicates that public exploitation is currently considered unlikely, though the low probability does not negate the high impact if the vulnerability were exploited. The flaw is not listed in the CISA KEV catalog. Attackers are likely to leverage the inclusion path via crafted URLs or form submissions to the plugin, requiring only access to the web application to exploit. No authentication or elevated privileges are required beyond the ability to interact with the vulnerable plugin, making the attack vector local to the web server context but easy to initiate remotely through the web interface.