The WordPress WP Customer Area plugin implements an include/require statement that improperly controls the filename, enabling a PHP Local File Inclusion flaw. An attacker who can influence the include argument can read sensitive local files or trigger execution of PHP code, potentially compromising confidentiality, integrity, or availability of the site. The vulnerability is contained within the plugin’s file inclusion logic and therefore does not automatically grant privilege escalation, but the ability to execute code on the host can have severe consequences if attacker-controlled code is injected.

The vulnerability affects the WordPress plugin WP Customer Area developed by Aguila Technologies. All installations that use any plugin version from the earliest release up through 8.3.5 are susceptible. There are no known changes to the affected range beyond these versions.

The CVSS score of 7.5 indicates a high severity risk, while the EPSS score of less than 1% suggests the probability of exploitation is currently low. Because the flaw resides in a publicly accessible WordPress plugin, an attacker can potentially exploit it without prior authentication, relying on crafted HTTP requests that manipulate the include path. The scenario is not listed in the CISA Known Exploited Vulnerabilities catalog, so no confirmed field‑deployed exploits are reported at this time. Nonetheless, the high CVSS and the nature of the flaw make the vulnerability a priority for remediation.