The Tuturn plugin for WordPress contains an improper limitation of pathname to a restricted directory flaw that allows an attacker to construct paths that escape the intended directory and download arbitrary files. This Path Traversal issue can lead to unauthorized disclosure of sensitive data such as configuration files, logs, or user credentials, compromising the confidentiality of the site. The flaw exists in all Tuturn plugin releases before version 3.6.

This vulnerability affects the AmentoTech Tuturn WordPress plugin, versions earlier than 3.6. Sites running those versions are exposed. The plugin, which provides file download functionality, is the vector for the attack. WordPress sites that have not yet upgraded are impacted.

The CVSS score of 6.5 indicates a medium severity vulnerability, while the EPSS score of <1 % suggests a low current exploitation probability, and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack can be performed remotely by accessing the plugin’s file download endpoint with a crafted path that traverses directories. If successful, an attacker can read arbitrary files from the server, potentially including sensitive site configuration and credential data, which could compromise the overall security of the WordPress installation.