The Mayosis Core plugin for WordPress contains a path traversal vulnerability (CWE-22) in the library/wave-audio/peaks/remote_dl.php file. This flaw allows unauthenticated attackers to read arbitrary files on the server by manipulating the pathname input, bypassing intended directory restrictions. The issue affects all versions up to 5.4.1 and can expose sensitive information stored on the server. The CVSS 3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and high confidentiality impact.

Successful exploitation allows unauthenticated attackers to read arbitrary files on the affected server, potentially exposing sensitive data such as configuration files, credentials, or other private information. This confidentiality breach does not affect integrity or availability directly. No known exploits in the wild have been reported as of the published date.

No official patch or remediation has been confirmed at this time. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, users should consider restricting access to the vulnerable file or disabling the affected plugin component if feasible to reduce exposure.