PHP remote file inclusion vulnerability in actions.php in the Allwebmenus plugin 1.1.3 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the abspath parameter.
https://exchange.xforce.ibmcloud.com/vulnerabilities/69929
http://www.securityfocus.com/bid/49685