An attacker can supply an arbitrary filename that is later used in a PHP include or require statement inside the NaturaLife Extensions plugin, allowing the attacker to read any file on the web server’s file system that the web server process can access. If a writable or executable PHP file is included, the attacker could execute arbitrary PHP code, effectively achieving remote code execution. The weakness is a classic improper control of filename in include/require, a condition that also permits disclosure of sensitive files such as configuration data.

Any WordPress website that has the NaturaLife Extensions plugin installed in a version up through and including 2.1 is vulnerable. Administrators managing sites running these plugin versions should verify their current plugin release before taking remediation steps.

The CVSS score of 8.1 places this vulnerability in the high severity category, reflecting substantial potential for data disclosure and code execution. The EPSS calculation indicates a probability of exploitation below 1 percent, suggesting that while the attack is technically straightforward, it is not widely active at present. The flaw has not been catalogued as a known exploited vulnerability by CISA, which further reduces the likelihood of mass exploitation. Nonetheless, the required payload is a single unauthenticated HTTP request with a crafted filename parameter, making exploitation extremely low effort for an attacker who wants to attempt the vulnerability.