The Filr plugin suffers from a Path Traversal vulnerability (CWE‑22) that permits deletion of any file reachable by the web server. Because the plugin fails to constrain the target pathname to a restricted directory, an attacker can remove critical website files or system configuration, compromising availability and potentially enabling further compromise if execution is allowed. This flaw enables an attacker to cause irreversible data loss and could be a stepping stone to full control of the affected host.

Issuing vendor WordPress plugin WP Chill Filr (Filr) is affected for all releases through version 1.2.10. The vulnerability exists from the initial release (n/a) up to and including 1.2.10.

The CVSS score of 7.7 indicates high impact, but the EPSS score of less than 1% suggests that exploit prevalence is currently low. The vulnerability is not listed in the CISA KEV catalog, so no known active exploits are reported. Based on the description, it is inferred that the attacker would need access to the plugin’s file deletion interface, which is typically available to any user with the ability to trigger the deletion function—likely an authenticated administrator. An attacker could prepend directory traversal sequences to delete files outside the plugin’s intended scope, resulting in data loss or denial of service. Consequently, the risk is significant for environments that expose the plugin to unauthenticated or weakly authenticated users, especially if the web server runs with elevated filesystem permissions.