Impact
The vulnerability enables the download of arbitrary files from the server due to a failure to validate the requested file path. This weakness is classified as CWE‑22 and can lead to disclosure of configuration files, database exports, or other confidential data stored on the web host. The impact is primarily a breach of confidentiality, potentially compromising system integrity if the attacker obtains files that facilitate further exploitation.
Affected Systems
WordPress installations that use the Client Portal (Pro) plugin with version 5.6.2 or earlier. The plugin is developed by Client Portal Ltd. and is commonly deployed in WordPress environments that provide client portals.
Risk and Exploitability
The CVSS score of 6.5 indicates moderate to high severity. The EPSS score is not available, so the current exploitation probability is unknown, but the absence of a CISA KEV listing suggests no publicly known exploits at this time. The likely attack vector is a web request to the plugin’s download endpoint, which can be triggered from any authenticated or unauthenticated user depending on the plugin configuration. If exploited, the attacker could retrieve arbitrary files, leading to potential data loss or release of sensitive information.
OpenCVE Enrichment