The EmailKit plugin for WooCommerce & WordPress contains a path traversal vulnerability (CWE-22) due to improper validation of file paths in the create_template() method of the CheckForm class. The plugin uses realpath() on the base directory 'wp-content/uploads/emailkit/templates/', but if this directory does not exist, realpath() returns false. In PHP 8.x, strpos() called with false as the second argument is implicitly converted to an empty string, causing the path validation check to be bypassed. Authenticated attackers with Author-level privileges or higher can exploit this to read arbitrary files on the server by supplying an absolute path to the emailkit-editor-template REST API parameter.

An attacker with Author-level or higher privileges can read arbitrary files on the server, including sensitive configuration files like wp-config.php. This can lead to disclosure of sensitive information such as database credentials and other secrets. The vulnerability does not allow modification or denial of service but poses a confidentiality risk. The CVSS v3.1 base score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high confidentiality impact.

Patch status is not yet confirmed — no official fix or patch is currently available from the vendor. Users should monitor the vendor advisory for updates. Until a fix is released, restrict Author-level access to trusted users only and consider disabling or limiting use of the EmailKit plugin's template editing features. Avoid exposing the vulnerable REST API endpoint to untrusted users. No official or temporary fixes are documented at this time.