An improper control of the filename used in a PHP include/require statement introduces a PHP Local File Inclusion flaw in the ovatheme BRW WordPress plugin. This vulnerability allows an attacker to read arbitrary local files on the server and may enable execution of malicious code, jeopardizing both confidentiality and integrity of the site. The vendor description indicates that the flaw exists across versions up to 1.8.7, but it does not specify a precise attack surface. Based on the nature of the flaw, it is inferred that the likely attack vector involves a publicly reachable input that supplies a file name to the plugin’s include logic.

WordPress sites that have the ovatheme BRW plugin (ova-brw) installed and running a version numbered 1.8.7 or earlier are vulnerable. The plugin is distributed under the ova-brw package in WordPress repositories. The vulnerability is not limited to a specific WordPress theme or other plugins; it affects any site that includes this plugin irrespective of other components.

The CVSS score of 8.1 indicates high severity, while the EPSS score below 1% suggests a low probability of exploitation in the short term. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only access to a publicly available endpoint of the plugin that accepts a file path and passes it to an include/require statement; no privileged credentials are explicitly required. Given that LFI can lead to full code execution if the attacker controls the included file, the potential impact remains significant if the vulnerability is triggered.