CVE-2025-12824
Unknown Unknown - Not Provided
Local File Inclusion in Player Leaderboard Plugin Enables RCE

Publication date: 2025-12-12

Last updated on: 2025-12-12

Assigner: Wordfence

Description
The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.2 via the 'player_leaderboard' shortcode. This is due to the plugin using an unsanitized user-supplied value from the shortcode's 'mode' attribute in a call to include() without proper path validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve full remote code execution if combined with file upload capabilities.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12824
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress player_leaderboard 1.0.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by checking if your WordPress installation is running the Player Leaderboard plugin version 1.0.2 or earlier, as these versions are vulnerable. You can also look for suspicious use of the 'player_leaderboard' shortcode with a 'mode' attribute that includes unexpected or malicious file paths. Since the vulnerability involves Local File Inclusion via the 'mode' attribute, monitoring web server logs for requests containing the shortcode with unusual 'mode' parameters may help detect exploitation attempts. Specific commands to check the plugin version include: 1. Using WP-CLI to check the plugin version: `wp plugin get player-leaderboard --field=version` 2. Searching web server logs for suspicious shortcode usage, e.g., `grep -i 'player_leaderboard' /var/log/apache2/access.log | grep 'mode='` 3. Checking for uploaded PHP files or unexpected files in the WordPress uploads directory or plugin directories that could be included. Note that no direct detection commands for exploitation are provided in the resources, but these steps help identify vulnerable versions and potential exploitation attempts. [2]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Player Leaderboard plugin to version 1.0.3 or later, where the vulnerability has been fixed by sanitizing the 'mode' attribute used in file inclusion. This update prevents arbitrary file inclusion and remote code execution. Additionally, ensure that only trusted users have Contributor-level access or higher, as the vulnerability requires authenticated access at that level. If updating immediately is not possible, consider disabling the plugin temporarily or restricting access to the shortcode functionality until the update can be applied. [2]

Executive Summary

This vulnerability is a Local File Inclusion (LFI) issue in the Player Leaderboard plugin for WordPress (up to version 1.0.2). It occurs because the plugin uses an unsanitized user-supplied value from the 'mode' attribute of the 'player_leaderboard' shortcode in a call to include() without proper path validation. This allows authenticated users with Contributor-level access or higher to include and execute arbitrary PHP files on the server.

Impact Analysis

An attacker with Contributor-level access or above can exploit this vulnerability to execute arbitrary PHP code on the server. This can lead to bypassing access controls, obtaining sensitive data, or achieving full remote code execution if combined with file upload capabilities, potentially compromising the entire server.

Compliance Impact

This vulnerability allows authenticated attackers to execute arbitrary PHP code on the server, potentially bypassing access controls and obtaining sensitive data. Such unauthorized access and data exposure could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and strict access controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12824. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart