The CMSMasters Content Composer plugin has a flaw that lets attackers control the filename used in a PHP include/require statement. This LFI vulnerability could allow reading of sensitive files or, if the attacker can place a file in a writable directory, could be exploited for code execution. The weakness is a classic example of improper input control, classified as CWE‑98. Based on the description, it is inferred that an attacker who can trigger the plugin’s file inclusion logic could potentially read local files, but actual exploitation to run arbitrary code would depend on the server’s configuration and writable paths.

The issue affects WordPress sites that have the CMSMasters Content Composer plugin version 1.4.5 or earlier. No other WordPress core or plugin versions are explicitly listed as vulnerable. Users operating a WordPress installation with this plugin and a vulnerable version are at risk if the plugin’s file inclusion functionality is reachable from the web.

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog, reducing its current prominence. Exploitation would require an attacker to influence the filename parameter used by the plugin’s internal include/require call, most likely through a crafted HTTP request to the plugin's interface. Because the flaw permits local file inclusion, the attack vector is remote via the web interface, but the payload would be limited to the local filesystem unless an attacker can upload a file to a writable directory. The potential for RCE is inferred from the nature of LFI; however, direct evidence of such exploitation is not provided in the available data.