This vulnerability in Woocommerce Product Design plugin arises from improper limitation of pathnames to restricted directories, enabling path traversal attacks. Specifically, versions up to and including 1.0.0 are affected. An attacker can exploit this flaw remotely without authentication or user interaction to access sensitive files outside the intended directory scope. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects high confidentiality impact with no integrity or availability impact.

Successful exploitation can lead to unauthorized disclosure of sensitive files on the affected system, compromising confidentiality. There is no indication of impact on data integrity or system availability. No known exploits in the wild have been reported as of the publication date.

Patch status is not yet confirmed — no official patch or remediation guidance is currently available from the vendor. Users should monitor the vendor advisory for updates and consider restricting access to the affected plugin or disabling it until a fix is released. Applying strict file system permissions and web server configurations to limit file access may provide temporary risk reduction.