The Clearblue® Ovulation Calculator WordPress plugin contains an Improper Control of Filename for Include/Require Statement flaw (CWE‑98) that allows PHP Local File Inclusion. When an attacker can influence the filename used in an include statement, the plugin may read or execute arbitrary files located on the web server. This could expose configuration files, database credentials, or allow execution of attacker‑supplied PHP code, thereby compromising the site’s confidentiality, integrity, and possibly availability.

All installations of Clearblue® Ovulation Calculator version 1.2.4 or earlier are affected. Because the plugin is distributed as a WordPress extension, any WordPress site running these versions is at risk. The issue applies from the first publicly released version through 1.2.4.

The CVSS score of 7.5 indicates a high‑severity flaw. The EPSS score of less than 1% suggests that opportunistic exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog, reducing its prominence in active exploit campaigns. The likely attack vector is a crafted HTTP request that manipulates a user‑controlled file path parameter in the plugin’s include logic, allowing an attacker to read or execute arbitrary local files. Exploitation requires that the attacker can influence the request path, which may be achieved through temporary write access to the website, a compromised WordPress user account, or a separate vulnerable plugin that permits file uploads. Because local file inclusion could lead to code execution, the risk to affected sites remains significant, especially when the admin interface is exposed to unknown users.