The flaw is a classic improper control of filenames used in PHP include/require statements, identified as CWE-98. The plugin’s code allows an attacker to supply a crafted input that causes PHP to read or execute unintended files. This can lead to disclosure of sensitive server files or activation of malicious code, undermining confidentiality, integrity, or availability of the WordPress site and potentially the underlying server. No special privileges are required beyond access to the vulnerable plugin functionality.

WordPress sites that have installed Themepul’s TopperPack – Complete Elementor Addons, Theme & CPT Builder plugin version 1.2.1 or earlier. The vulnerability applies to all installations of these versions because the issue lies in the plugin’s default filename handling, regardless of individual site configuration.

The CVSS score of 7.5 reflects a high severity vulnerability. The EPSS score of less than 1% indicates that, while serious, exploitation opportunities are currently scarce. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is manipulation of URL query parameters or form inputs that specify the filename to include. The attack can be executed remotely without authentication, so public access to the site can provide the necessary entry point.