CVE-2025-12824
Local File Inclusion in Player Leaderboard Plugin Enables RCE
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | player_leaderboard | 1.0.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your WordPress installation is running the Player Leaderboard plugin version 1.0.2 or earlier, as these versions are vulnerable. You can also look for suspicious use of the 'player_leaderboard' shortcode with a 'mode' attribute that includes unexpected or malicious file paths. Since the vulnerability involves Local File Inclusion via the 'mode' attribute, monitoring web server logs for requests containing the shortcode with unusual 'mode' parameters may help detect exploitation attempts. Specific commands to check the plugin version include: 1. Using WP-CLI to check the plugin version: `wp plugin get player-leaderboard --field=version` 2. Searching web server logs for suspicious shortcode usage, e.g., `grep -i 'player_leaderboard' /var/log/apache2/access.log | grep 'mode='` 3. Checking for uploaded PHP files or unexpected files in the WordPress uploads directory or plugin directories that could be included. Note that no direct detection commands for exploitation are provided in the resources, but these steps help identify vulnerable versions and potential exploitation attempts. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Player Leaderboard plugin to version 1.0.3 or later, where the vulnerability has been fixed by sanitizing the 'mode' attribute used in file inclusion. This update prevents arbitrary file inclusion and remote code execution. Additionally, ensure that only trusted users have Contributor-level access or higher, as the vulnerability requires authenticated access at that level. If updating immediately is not possible, consider disabling the plugin temporarily or restricting access to the shortcode functionality until the update can be applied. [2]
Can you explain this vulnerability to me?
This vulnerability is a Local File Inclusion (LFI) issue in the Player Leaderboard plugin for WordPress (up to version 1.0.2). It occurs because the plugin uses an unsanitized user-supplied value from the 'mode' attribute of the 'player_leaderboard' shortcode in a call to include() without proper path validation. This allows authenticated users with Contributor-level access or higher to include and execute arbitrary PHP files on the server.
How can this vulnerability impact me? :
An attacker with Contributor-level access or above can exploit this vulnerability to execute arbitrary PHP code on the server. This can lead to bypassing access controls, obtaining sensitive data, or achieving full remote code execution if combined with file upload capabilities, potentially compromising the entire server.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated attackers to execute arbitrary PHP code on the server, potentially bypassing access controls and obtaining sensitive data. Such unauthorized access and data exposure could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and strict access controls.