The flaw is an improper control of the file name used in a PHP include or require statement in the WordPress plugin "Extensive VC Addons for WPBakery page builder". An attacker can supply a path that references files on the local server, causing the plugin to include and execute those files. If the attacker is able to place a malicious file on the server or reference an existing file that contains code, the result could be the execution of arbitrary code or the disclosure of sensitive information such as configuration files.

Any WordPress site that has installed the plugin "Extensive VC Addons for WPBakery page builder" from its earliest release up through version 1.9.1 is affected. Sites that grant administrative or plugin‑installation privileges to users are therefore at risk, as the vulnerability relates to a core function of the plugin that may be invoked during normal site operation.

With a CVSS score of 8.1 the vulnerability is considered high severity. The EPSS score of less than 1% indicates that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw depends on influencing the file name argument in a local include, the attack vector is likely through any request that passes a filename to the plugin’s interface, possibly via authenticated or unauthenticated access. Successful exploitation could enable an attacker to read arbitrary files or execute code on the affected WordPress server.