The Woosa – Marktplaats for WooCommerce plugin for WordPress is affected by a path traversal vulnerability that allows an authenticated attacker with Administrator privileges to read arbitrary files on the server. The flaw exists because the code that displays log files accepts a base64‑encoded name from the GET parameter "log_file" and concatenates it to the log directory path without validating that the final path remains inside the intended directory. This enables disclosure of sensitive configuration files, such as wp-config, and other files that may contain credentials or personal data. The weakness is coded as CWE‑22 and does not grant execution or denial of service, but it is sufficient to compromise confidentiality.

The vulnerability applies to the Woosa – Marktplaats for WooCommerce plugin for WordPress, specifically versions up to and including 2.0.5. The issue is present in code paths executed by administrators, including earlier releases such as 2.0.4. The plugin is a marketplace add‑on that runs within the WordPress ecosystem.

The CVSS score of 4.9 indicates a moderate severity, and the EPSS score is not available, meaning there is no publicly known exploitation probability at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires an attacker to be authenticated as an administrator and to send a crafted GET request containing a base64‑encoded "log_file" value. If the request is processed, the attacker can retrieve the contents of any file on the server, leading to confidentiality breaches. The problem is exploitable via standard HTTP requests, and it does not require any additional privileges beyond those granted to an admin account.