The vulnerability arises from improper control of the filename used in PHP include or require statements within the Responsive Posts Carousel Pro plugin, permitting local file inclusion. An attacker who can influence the input that dictates the file path may cause the server to read arbitrary local files, exposing server‑side data. If the attacker can place or reference a PHP file in the path, execution of that code might also be achieved, depending on filesystem permissions and execution context. The core weakness is a classic file inclusion flaw (CWE‑98).

WebCodingPlace Responsive Posts Carousel Pro, all releases up to and including version 15.1 are affected. Sites running those versions lack the fix that was introduced in the 15.2 update.

The CVSS score of 7.5 indicates a high level of risk. The EPSS score of < 1% suggests exploitation likelihood remains low at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to supply crafted input that determines the file path for inclusion, which typically would be possible from any context where the plugin handles user-supplied data—often the site administrator or a user with contributor-level access. If an attacker can access the plugin directory or upload files to it, the risk of code execution rises, but such conditions are not guaranteed by the CVSS score alone.