The vulnerability arises from improper control of file names used in PHP include/require statements, allowing a Local File Inclusion attack. An attacker could craft requests that cause the plugin to read arbitrary files from the server or execute arbitrary PHP code, potentially escalating to remote code execution. This weakness falls under CWE‑98. The impact is the compromise of confidentiality, integrity, or availability of the affected WordPress site.

The affected product is Processby’s Responsive Sidebar WordPress plugin, commonly referred to as Responsive Sidebar. Versions from the initial release through 1.2.2 are affected. Any WordPress site installing or using this plugin version is vulnerable.

The CVSS score of 7.5 indicates a high severity vulnerability. The EPSS score of less than 1% suggests that, while the vulnerability exists, current exploitation activity is low. This issue is not listed in the CISA KEV catalog. The likely attack vector involves a remote attacker sending a crafted request to the plugin’s endpoint, which would trigger the inclusion of a local file and could lead to execution of malicious code. Attackers would need network access to the target site and the ability to manipulate URL parameters or input fields handled by the plugin.