The vulnerability is a path traversal flaw (CWE-35) that permits an attacker to influence the file path used by the Snowray Software File Uploader for WooCommerce plugin. By manipulating the request, an adversary can read files outside the intended upload directory. The impact is the unauthorized disclosure of sensitive data stored on the server, potentially exposing configuration files, credentials, or user content, and undermining confidentiality. No direct code execution or privilege escalation is described, but the breadth of read access can be critical in many environments.

Snowray Software’s File Uploader for WooCommerce plugin is vulnerable in all releases up to and including version 1.0.4. The affected platform is WordPress, and the issue is present wherever the plugin is installed with a version less than or equal to 1.0.4.

The CVSS score of 7.5 indicates a high severity. The EPSS score of less than 1% suggests a relatively low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve an unauthenticated or authenticated user submitting specially crafted requests to the plugin’s upload endpoint, exploiting the directory traversal sequence to access arbitrary files. While no explicit authentication requirement is given in the description, the nature of the flaw implies that any user who can trigger the endpoint may exploit it, making it a high-risk vulnerability for publicly exposed sites using the affected plugin version.