The SportsPress plugin for WordPress contains a high-severity Local File Inclusion (LFI) vulnerability that could lead to the exposure of sensitive system files and potential remote code execution.

This LFI vulnerability allows an attacker to manipulate file paths in plugin parameters to include and execute local files. Depending on the server configuration, this can be used to read sensitive files like 'wp-config.php' or system files like '/etc/passwd'.

The impact of an LFI vulnerability is severe, as it facilitates the theft of sensitive configuration data, including database credentials. If combined with a file upload flaw, it can lead to remote code execution. The CVSS score of 8.8 underscores the critical nature of this exposure.

Immediate Action: Update the SportsPress plugin to the latest available version immediately to close the LFI vector.

Proactive Monitoring: Monitor web server logs for directory traversal patterns, such as '../', in URL parameters related to the SportsPress plugin.

Compensating Controls: Configure the PHP 'open_basedir' directive to restrict file access to the web root only, preventing the inclusion of sensitive system files.

Public Exploit Available: false

Because this vulnerability can lead to the disclosure of the site's most sensitive secrets, including database passwords, immediate remediation is required. Update the plugin now and ensure your server configuration follows security best practices.