The flaw is an improper control of the filename supplied to PHP include/require statements in the WPC Product Options for WooCommerce plugin. This allows an attacker to specify arbitrary local file paths, enabling the inclusion of sensitive files or execution of malicious PHP code if the payload is placed within an includeable file. The impact can range from reading confidential server files to full remote code execution, depending on the attacker's ability to deliver a writable file or exploit existing writable PHP files.

The vulnerability affects the WPC Product Options for WooCommerce plugin published by WPClever, specifically all releases up to and including version 3.1.3. Any WordPress installation using a vulnerable instance of this plugin is at risk.

The score of 7.5 on the CVSS scale indicates high severity, while the EPSS score of less than 1% suggests that the overall exploitation probability remains low at this time. The vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is through crafted input that the plugin passes directly to include/require calls, and it can be exploited by anyone who can influence that input, possibly including unauthenticated users unless mitigated by other access controls. Exploitation requires that the web server allows PHP to read files from the specified paths, and that the attacker can cause the plugin to include a payload or existing file.