The vulnerability in VINAGECKO VG WooCarousel allows an attacker to include arbitrary files through an improper control of the include/require filename in PHP. This is a local file inclusion flaw, classified as CWE‑98, and can lead to the execution of remote code if the attacker has the ability to provide a path to a malicious file. The impact is a potential compromise of the host where the WordPress site is running, as arbitrary code could be executed in the context of the web server process.

Affected software is the WordPress plugin VG WooCarousel released by VINAGECKO. All versions from the initial release up through version 1.3 are vulnerable. The vulnerability was found in the plugin’s source directory handling and applies to the PHP code that processes carousel data.

The CVSS score of 7.5 indicates high severity. The EPSS score is below 1%, suggesting there have been few or no reported exploit attempts so far, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local, requiring the attacker to have some level of file write or execution rights on the server, possibly through an authenticated site administrator or via exploitation of another local vulnerability. Because the flaw is tied to how the plugin handles file paths, an attacker who can supply a crafted path may trigger the inclusion of a sensitive file or inject code that is then executed on the server.