This vulnerability arises from improper control of the filename used in a PHP include/require statement within the My auctions allegro WordPress plugin. The flaw allows an attacker to cause the plugin to load arbitrary local files on the web server, potentially exposing sensitive configuration data, keys, or other confidential information. While the defect does not directly grant remote code execution, the ability to read arbitrary files can serve as a stepping stone to further attacks such as credential harvesting or facilitating execution of malicious scripts if other weaknesses are present.

The affected product is the WordPress plugin wphocus My auctions allegro, versions from the initial release up to and including 3.6.33. Users who have installed any of these plugin versions on their WordPress sites are susceptible to exploitation.

The CVSS base score of 7.5 indicates a high severity. The EPSS score of less than 1% suggests that, as of this analysis, the probability of active exploitation in the wild is low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would need to deliver a crafted request targeting the plugin’s file handling logic, typically via a web‑based parameter that controls the include path. Based on the description, it is inferred that successful exploitation requires the attacker to have sufficient privileges to read files on the server, but the local file inclusion flaw can lead to sensitive data disclosure or set the stage for downstream attacks.