An improper control of filenames in the include/require statement in the PHP code of the WebCodingPlace Responsive Posts Carousel Pro plugin allows local file inclusion; the attacker could retrieve arbitrary files from the server, exposing sensitive configuration or source code. This vulnerability maps to CWE-98 and can lead to information disclosure. The plugin’s code does not sanitize user input that determines the file path, which is the core weakness. The impact is limited to the server where the WordPress site runs but could allow attackers to read files that are not meant to be publicly accessible.

The WebCodingPlace Responsive Posts Carousel Pro WordPress plugin is affected in all releases up to and including version 15.0. Any site running an earlier version of this plugin is susceptible to the local file inclusion flaw. No specific WordPress core or PHP versions are mentioned as additional constraints.

The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1% signals a low exploit probability under current threat data. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is application-level input that can be manipulated by an attacker with at least submit‑level access to the plugin settings, or possibly publicly accessible if the parameter is exposed. The exploit is straightforward, requiring the attacker to specify an arbitrary file name in a request that is processed by the plugin’s include/require logic. Successful exploitation could allow the attacker to read files such as the WordPress configuration, user data, or site source code.