RCE... not really. CE yes, but the Code being Executed needs to be separately supplied and you need local permissions so there is nothing Remote about it. It's not that you exploit Np++ upon opening your malicious file or so (and even that would be neither network-bound nor zero-click!).

Steps to reproduce:

1. Place a malicious file on disk (e.g. ~/Downloads/definitely_legit.exe)

2. Modify shortcuts.xml (in the user's %AppData%, requiring local user permissions) to point to this file in a special way

3. The shortcut triggers and runs the exe when the user next starts and uses Notepad++ (the user needs to trigger the shortcut, but that can be something that they will do anyway such as typing any key)

This functionality is by design, but by prefixing a trusted path and then /../'ing your way back out of the trusted location, it doesn't show a warning before executing

Vulnerability rated as high because of the impact, despite the near-impossible exploitability. The CVSS vector for "email the user a malicious file and have them save and execute it", not bothering with the whole shortcuts method, would result in an even higher rating...