Impact
This vulnerability is an unauthenticated Local File Inclusion flaw in the Softlab Core WordPress plugin prior to version 1.2.11. The flaw, classified as CWE‑98, allows an attacker to read arbitrary files from the server’s file system by supplying a crafted file path parameter. This can expose sensitive configuration data, credentials, or other secrets, potentially aiding further compromise of the web application. The description does not mention remote code execution, so the impact is limited to information disclosure unless additional vulnerabilities are present.
Affected Systems
The Softlab Core plugin, developed by WebGeniusLab, reaches all WordPress installations that have the plugin enabled and are running a version earlier than 1.2.11.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity, while the EPSS score of less than 1% suggests a low probability that this flaw will be actively exploited at present. The vulnerability is not listed in CISA’s KEV catalog. An attacker can trigger the inclusion by sending an unauthenticated HTTP request that manipulates the plugin’s file path argument, thereby accessing local files on the server. There are no known mitigations beyond updating the plugin; therefore, the risk remains if the vulnerability is left unpatched.
OpenCVE Enrichment