CVE-2025-14475
Local File Inclusion in WPBakery Extensive VC Addons Plugin
Publication date: 2025-12-13
Last updated on: 2025-12-13
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpres | wpbakery_page_builder | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Extensive VC Addons for WPBakery page builder plugin for WordPress, affecting all versions up to and including 1.9.1. It is a Local File Inclusion (LFI) vulnerability caused by insufficient path normalization and validation of the user-supplied 'shortcode_name' parameter in the 'extensive_vc_init_shortcode_pagination' AJAX action. This flaw allows unauthenticated attackers to include and execute arbitrary PHP files on the server by manipulating the 'shortcode_name' parameter, leading to execution of any PHP code contained in those files.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows unauthenticated attackers to execute arbitrary PHP code on the affected server. This can lead to full compromise of the server, including unauthorized access, data theft, data modification, service disruption, or further attacks within the network. The high CVSS score (8.1) reflects the critical nature of this vulnerability with high impact on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious AJAX requests to the WordPress site targeting the `extensive_vc_init_shortcode_pagination` action with unusual or malicious `shortcode_name` parameter values that attempt Local File Inclusion. You can check your web server logs or use tools like curl to simulate such requests. For example, a command to test might be: curl -X POST -d "action=extensive_vc_init_shortcode_pagination&shortcode_name=../../../../etc/passwd" https://yourwordpresssite.com/wp-admin/admin-ajax.php Additionally, scanning for the presence of the Extensive VC Addons for WPBakery plugin version 1.9.1 or earlier can help identify vulnerable installations. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Update the Extensive VC Addons for WPBakery page builder plugin to a version later than 1.9.1 where this vulnerability is fixed. 2. If an update is not immediately possible, restrict access to the AJAX endpoint `admin-ajax.php` for unauthenticated users or implement a Web Application Firewall (WAF) rule to block requests with suspicious `shortcode_name` parameters. 3. Monitor logs for exploitation attempts and consider disabling the plugin temporarily if exploitation is detected. 4. Apply principle of least privilege to the WordPress installation and server to limit damage from potential exploitation.