Remote File Inclusion (RFI) leading to Remote Code Execution (RCE) via CSRF vulnerability discovered by Krzysztof Zając in WordPress Modal Window plugin (versions <= 5.2.1).
Update the WordPress Modal Window plugin to the latest available version (at least 5.2.2).