Premmerce User Roles plugin suffers from improper control of filenames used in PHP include/require statements. The flaw allows an attacker to specify an arbitrary local file path, leading to a Local File Inclusion vulnerability. If the attacker can access a file containing sensitive data or inject malicious code, the impact ranges from information disclosure to remote code execution. The weakness corresponds to CWE‑98, which is an improper validation of file paths that can be abused to include unintended files.

The vulnerability affects the Premmerce User Roles WordPress plugin, versions up through 1.0.13. Sites running this plugin on any WordPress installation are potentially impacted unless they are using a later version.

The CVSS score of 7.5 indicates a high severity; however, the EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is a Local File Inclusion path that can be manipulated via a crafted request to the plugin’s file‑inclusion endpoint. The exploit would require the attacker to have enough privileges or craft the request to the plugin endpoint, but no explicit authentication requirements are stated in the CVE data, so the possibility of unauthenticated exploitation cannot be ruled out.