The AnyComment plugin for WordPress contains an improper control of filename for include/require. By supplying attacker‑controlled path values, an attacker could trigger PHP's include function with arbitrary local file names, potentially exposing sensitive local files or allowing the execution of malicious code. This flaw is classified as CWE‑98 and can compromise confidentiality and integrity of the server hosting the site.

This vulnerability affects the Alexander AnyComment plugin version 0.3.6 and earlier on WordPress installations. Systems running any of these versions are impacted. No additional product or version information is provided.

With a CVSS score of 7.5 the vulnerability is considered high impact, yet the EPSS score of less than 1% indicates a very low probability of exploitation at present and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local file inclusion, typically triggered through plugin parameters or crafted URLs that influence the include path. Successful exploitation would require the attacker to have the ability to influence the plugin’s input and to have access to the site’s file system; it does not grant remote code execution on its own but can lead to disclosure of local files or remote code execution if the attacker can place a malicious script on the server.