PHP remote file inclusion vulnerability in include/loading.php in Alessandro Lulli wavewoo 0.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the path_include parameter.