The vulnerability arises from improper control of filenames used in PHP include and require statements. An attacker can supply input that allows the plugin to include files from the server’s filesystem, exposing sensitive configuration files, source code, or potentially executing malicious code if a writable file can be over‑written. This flaw can compromise confidentiality and, in some cases, facilitate further exploitation such as remote code execution.

The weakness affects the WebCodingPlace WooCommerce Coming Soon Product with Countdown plugin for WordPress up to and including version 5.0. No earlier versions are listed as affected, and no official patch version is provided in the advisory.

The CVSS score is 7.5, indicating a high severity with a local or remote attacker capable of triggering the flaw via crafted request parameters. The EPSS score is less than 1 %, suggesting a low probability of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote, through a web request that feeds a malicious filename to the plugin’s inclusion logic. If an attacker succeeds, they can read arbitrary files on the server, escalating the impact to potential data theft or code injection.