This vulnerability arises from an improper control of the filename used in PHP's include/require statements, allowing an attacker to manipulate the file path and include local files. The result is a Local File Inclusion flaw, which can expose sensitive configuration files, reveal application secrets, and if the included file contains executable PHP, potentially lead to Remote Code Execution. Consequently, the confidentiality, integrity, and availability of the affected WordPress site are at risk if the flaw is exploited.

The issue affects the WPBean WPB Category Slider for WooCommerce plugin from its initial release up through version 1.71. The vendor is WPBean, and the product is the WPB Category Slider for WooCommerce plugin. No specific sub‑versions are singled out beyond the stated upper bound of 1.71.

The CVSS score of 7.5 indicates a high severity for a Local File Inclusion vulnerability. However, the EPSS score is below 1%, suggesting that the likelihood of active exploitation is currently low. The vulnerability is not listed in CISA’s KEV catalog. Exploitability typically requires that an attacker can supply a crafted request to the plugin that contains a path traversal or similar input, allowing the inclusion of arbitrary local files. The potency of the attack, however, depends on the server’s file permissions and the attacker’s access to writable directories.