Impact
The weakness is located in the WordPress & WooCommerce Scraper Plugin, Import Data from Any Site and is caused by a lack of validation when an HTTP request parameter is used to build a file path. An attacker can supply an arbitrary path and the plugin will return the contents of that file to the requester, allowing download of any file that the web server process can read. The impact is the disclosure of file contents; the vulnerability does not modify or delete data. The possibility of exposing configuration files, credentials, or other sensitive data is inferred from the general ability to retrieve arbitrary files, but the CVE description does not explicitly state which files are vulnerable.
Affected Systems
WordPress sites that have the extendons WordPress & WooCommerce Scraper Plugin, Import Data from Any Site installed with a version of 1.0.7 or earlier are affected. No other products or versions are specifically cited as impacted.
Risk and Exploitability
The CVSS v3.1 base score of 7.5 indicates high severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is unauthenticated, an attacker can send a direct HTTP request that includes a file path parameter to the plugin endpoint; the server will respond with the requested file contents. This path traversal can expose sensitive files on the server, which may lead to disclosure of confidential information (inferred).
OpenCVE Enrichment