Improper control of the filename used in PHP include/require statements in the PoloPag – Pix Automático para Woocommerce plugin allows an attacker to cause the server to include an arbitrary local file. This flaw is a classical PHP Local File Inclusion vulnerability (CWE‑98) that can enable an unauthenticated user to read sensitive files or, if the server permits execution of the included files, to potentially execute malicious code. The impact is loss of confidentiality, integrity, or availability of the WordPress site's files and configuration.

The vulnerability affects the PoloPag – Pix Automático para Woocommerce plugin (wc‑polo‑payments) for all installed versions from the first release through and including version 2.0.9. No other vendors or products are listed as affected.

The CVSS score of 7.5 indicates a high severity level for the vulnerability, while the EPSS score of less than 1% suggests a low probability of exploitation in the near term, and the issue is currently not listed in the CISA KEV catalog. The likely attack vector is a crafted HTTP request to the plugin’s exposed endpoint that manipulates the include path parameter. Based on the description, if the attacker can successfully trigger the LFI, they could read local files, and if the server allows execution of the included files, they could potentially run arbitrary code; this latter consequence is inferred.