CVE-2025-14475
Unknown Unknown - Not Provided

Local File Inclusion in WPBakery Extensive VC Addons Plugin

Vulnerability report for CVE-2025-14475, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-13

Last updated on: 2025-12-13

Assigner: Wordfence

Description

The Extensive VC Addons for WPBakery page builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.1 via the `extensive_vc_get_module_template_part` function. This is due to insufficient path normalization and validation of the user-supplied `shortcode_name` parameter in the `extensive_vc_init_shortcode_pagination` AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files via the `shortcode_name` parameter.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-13
Last Modified
2025-12-13
Generated
2026-07-06
AI Q&A
2025-12-13
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordpres wpbakery_page_builder *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by monitoring for suspicious AJAX requests to the WordPress site targeting the `extensive_vc_init_shortcode_pagination` action with unusual or malicious `shortcode_name` parameter values that attempt Local File Inclusion. You can check your web server logs or use tools like curl to simulate such requests. For example, a command to test might be: curl -X POST -d "action=extensive_vc_init_shortcode_pagination&shortcode_name=../../../../etc/passwd" https://yourwordpresssite.com/wp-admin/admin-ajax.php Additionally, scanning for the presence of the Extensive VC Addons for WPBakery plugin version 1.9.1 or earlier can help identify vulnerable installations. [3]

Executive Summary

This vulnerability exists in the Extensive VC Addons for WPBakery page builder plugin for WordPress, affecting all versions up to and including 1.9.1. It is a Local File Inclusion (LFI) vulnerability caused by insufficient path normalization and validation of the user-supplied 'shortcode_name' parameter in the 'extensive_vc_init_shortcode_pagination' AJAX action. This flaw allows unauthenticated attackers to include and execute arbitrary PHP files on the server by manipulating the 'shortcode_name' parameter, leading to execution of any PHP code contained in those files.

Impact Analysis

This vulnerability can have severe impacts as it allows unauthenticated attackers to execute arbitrary PHP code on the affected server. This can lead to full compromise of the server, including unauthorized access, data theft, data modification, service disruption, or further attacks within the network. The high CVSS score (8.1) reflects the critical nature of this vulnerability with high impact on confidentiality, integrity, and availability.

Mitigation Strategies

Immediate mitigation steps include: 1. Update the Extensive VC Addons for WPBakery page builder plugin to a version later than 1.9.1 where this vulnerability is fixed. 2. If an update is not immediately possible, restrict access to the AJAX endpoint `admin-ajax.php` for unauthenticated users or implement a Web Application Firewall (WAF) rule to block requests with suspicious `shortcode_name` parameters. 3. Monitor logs for exploitation attempts and consider disabling the plugin temporarily if exploitation is detected. 4. Apply principle of least privilege to the WordPress installation and server to limit damage from potential exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14475. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart