The vulnerability is an improper control of a filename used in PHP’s include or require statements, allowing an attacker to trigger local file inclusion. This can lead to arbitrary reading of local files and potentially further compromise if the read data is used in subsequent operations. The weakness is classified as CWE‑98 and presents a risk of data exposure and further exploitation depending on the context of the included files.

WordPress sites using the Lazy Load Optimizer plugin version 1.4.7 or earlier are affected. The plugin, developed by Processby, is common in sites that enable lazy loading of images and other media. No specific operating system or WordPress core version is singled out in the advisory, so any installation of the plugin in the listed version range could be vulnerable.

The CVSS score of 7.5 indicates a high severity, while an EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog, indicating no confirmed public exploits. Given the nature of LFI, the attack vector is likely local or via authenticated access to the plugin’s settings page, and an attacker may need a valid user session or an administrative account to supply a crafted file path. Once triggered, the attacker could read sensitive files such as configuration files or potentially execute code if the included file contains malicious content.