CVE-2025-14475
Unknown Unknown - Not Provided
Local File Inclusion in WPBakery Extensive VC Addons Plugin

Publication date: 2025-12-13

Last updated on: 2025-12-13

Assigner: Wordfence

Description
The Extensive VC Addons for WPBakery page builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.1 via the `extensive_vc_get_module_template_part` function. This is due to insufficient path normalization and validation of the user-supplied `shortcode_name` parameter in the `extensive_vc_init_shortcode_pagination` AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files via the `shortcode_name` parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-13
Last Modified
2025-12-13
Generated
2026-06-16
AI Q&A
2025-12-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14475
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpres wpbakery_page_builder *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Extensive VC Addons for WPBakery page builder plugin for WordPress, affecting all versions up to and including 1.9.1. It is a Local File Inclusion (LFI) vulnerability caused by insufficient path normalization and validation of the user-supplied 'shortcode_name' parameter in the 'extensive_vc_init_shortcode_pagination' AJAX action. This flaw allows unauthenticated attackers to include and execute arbitrary PHP files on the server by manipulating the 'shortcode_name' parameter, leading to execution of any PHP code contained in those files.

Impact Analysis

This vulnerability can have severe impacts as it allows unauthenticated attackers to execute arbitrary PHP code on the affected server. This can lead to full compromise of the server, including unauthorized access, data theft, data modification, service disruption, or further attacks within the network. The high CVSS score (8.1) reflects the critical nature of this vulnerability with high impact on confidentiality, integrity, and availability.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious AJAX requests to the WordPress site targeting the `extensive_vc_init_shortcode_pagination` action with unusual or malicious `shortcode_name` parameter values that attempt Local File Inclusion. You can check your web server logs or use tools like curl to simulate such requests. For example, a command to test might be: curl -X POST -d "action=extensive_vc_init_shortcode_pagination&shortcode_name=../../../../etc/passwd" https://yourwordpresssite.com/wp-admin/admin-ajax.php Additionally, scanning for the presence of the Extensive VC Addons for WPBakery plugin version 1.9.1 or earlier can help identify vulnerable installations. [3]

Mitigation Strategies

Immediate mitigation steps include: 1. Update the Extensive VC Addons for WPBakery page builder plugin to a version later than 1.9.1 where this vulnerability is fixed. 2. If an update is not immediately possible, restrict access to the AJAX endpoint `admin-ajax.php` for unauthenticated users or implement a Web Application Firewall (WAF) rule to block requests with suspicious `shortcode_name` parameters. 3. Monitor logs for exploitation attempts and consider disabling the plugin temporarily if exploitation is detected. 4. Apply principle of least privilege to the WordPress installation and server to limit damage from potential exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14475. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart