An attacker can supply a target filename used by the Sales Countdown Timer plugin’s PHP include/require logic, enabling local file inclusion. Because the plugin does not validate or sanitize the path, an attacker can read sensitive configuration, log, or webroot files and, if the server allows execution of included PHP, run arbitrary code, compromising confidentiality, integrity, and availability of the WordPress site.

The flaw affects any installation of the Sales Countdown Timer for WooCommerce and WordPress plugin from Villatheme that is version 1.1.8 or earlier. The plugin is a WordPress extension used with WooCommerce to display countdown timers.

The flaw carries a base severity score of 7.5, labeling it high severity. Exploit probability is calculated to be very low (<1%), indicating that current exploitation attempts are rare, and the vulnerability is not listed in the catalog of known exploited vulnerabilities. Attackers can exploit it through a web request that points the plugin’s file inclusion mechanism to an arbitrary local file. No privileged credentials are required, so any publicly accessible site that runs a vulnerable plugin version is at risk; potential impact ranges from reading files to executing code if the server’s configuration permits local file inclusion.