Impact
The vulnerability in the WordPress WooCommerce Book Price plugin versions 1.3 and earlier allows an attacker to download arbitrary files from the server through a public endpoint. The flaw follows the path traversal weakness identified as CWE‑22. If exploited, sensitive server files could be disclosed, compromising the confidentiality of site data and potentially exposing configuration or credential files stored alongside the plugin.
Affected Systems
The WooCommerce Book Price plugin developed by WPos, in versions 1.3 and earlier, deployed on WordPress sites.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity. No EPSS score is publicly available, so no specific exploitation probability can be cited. The vulnerability is not listed in the CISA KEV catalog. The attack appears to require only a crafted request to the plugin’s download endpoint and does not mention authentication, suggesting it is readily exploitable from the web interface. As a result, sites running an unpatched plugin face a significant risk of confidential file disclosure.
OpenCVE Enrichment