This script is possibly vulnerable to directory traversal attacks.
Directory Traversal is a vulnerability which allows attackers to access restricted directories and read files outside of the web server's root directory.
Your script should filter metacharacters from user input.
WordPress Plugin LearnPress-WordPress LMS Multiple Vulnerabilities (22.214.171.124.2)
WordPress Plugin SearchWP Live Ajax Search Directory Traversal (1.6.2)
WordPress Plugin Migration, Backup, Staging-WPvivid Arbitrary File Deletion (0.9.76)
WordPress Plugin A/B Test 'action' Parameter Directory Traversal (1.0.6)