The vulnerability arises from improper control of filenames used in a PHP include or require statement in the Subscribe To Unlock plugin. Proper validation is missing, allowing an attacker to specify a path that the server will include. When the plugin processes the requested filename, it can read arbitrary local files, and if PHP code is included, it may be executed, providing data disclosure or remote code execution. The flaw falls under CWE‑98 and can compromise the confidentiality, integrity, or availability of the hosting environment.

All installations of the wpshuffle Subscribe To Unlock WordPress plugin with a version up to and including 1.1.5 are affected. No version numbering beyond <=1.1.5 is specified, so any usage of 1.1.5 or earlier exposes the system to the LFI flaw.

The CVSS score of 7.5 indicates a high severity vulnerability. The EPSS score is less than 1 %, meaning that exploitation is unlikely given current public knowledge, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector is remote; an attacker can trigger the include by manipulating request parameters without requiring privileged access. If the flaw is exploited, the attacker can read sensitive files or inject malicious PHP code, potentially leading to full compromise of the web server.