The Templately WordPress plugin is vulnerable because the function that saves a template to a file does not sanitize user-supplied parameters such as session_id, content_id, and ai_page_ids before building a file path. This oversight allows an unauthenticated attacker to cause the plugin to write arbitrary .ai.json files under the uploads directory. The immediate consequence is the creation of files the attacker controls, which could be leveraged to alter plugin behavior, insert malicious configuration data, or trigger script execution if the JSON is subsequently processed by the application.

WordPress sites that have installed wpdevteam:Templately – Elementor & Gutenberg Template Library in any version up to and including 3.4.8 are affected. The issue resides in the plugin’s core code and can affect any WordPress installation that allows unauthenticated access to the plugin’s save endpoint.

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% suggests that active exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog, further indicating a lower current threat. The likely attack vector is a remote HTTP request to the plugin’s endpoint, which does not require authentication. The potential impact is the unauthorized creation of files in the uploads directory, giving the attacker the ability to influence the plugin’s function or store malicious data. Overall, while the risk is moderate, the low exploitation probability and lack of authentication requirement heighten awareness but do not necessitate emergency containment measures beyond patching.