CVE-2025-15368
Local File Inclusion in SportsPress Plugin Allows Code Execution
Publication date: 2026-02-04
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wp_sportspress | sportspress | to 2.7.26 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The SportsPress plugin for WordPress, in all versions up to and including 2.7.26, is vulnerable to a Local File Inclusion (LFI) attack via the 'template_name' attribute in its shortcodes.
This vulnerability allows authenticated users with contributor-level or higher permissions to include and execute arbitrary files on the server.
By exploiting this, attackers can execute any PHP code contained in those files, potentially bypassing access controls and gaining unauthorized capabilities.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Bypassing access controls, allowing attackers to perform actions beyond their intended permissions.
- Obtaining sensitive data stored on the server.
- Executing arbitrary PHP code on the server, which can lead to full compromise of the WordPress site and potentially the underlying server.
Since the vulnerability requires contributor-level or higher permissions, any user with such access can exploit it.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Local File Inclusion via the 'template_name' attribute in shortcodes of the SportsPress WordPress plugin up to version 2.7.26. Detection would involve identifying usage of these shortcodes with suspicious or unexpected 'template_name' values that could lead to file inclusion.
Since the vulnerability requires authenticated users with contributor-level or higher permissions to exploit, detection can focus on monitoring shortcode usage in posts or pages, especially those containing the 'template_name' attribute.
There is no explicit detection command or signature provided in the available resources. However, you can search your WordPress database for posts or content containing the shortcode with the 'template_name' attribute, for example by running a SQL query like:
- SELECT * FROM wp_posts WHERE post_content LIKE '%template_name=%';
Additionally, monitoring web server logs for requests that include shortcode parameters or unusual file inclusion attempts may help detect exploitation attempts.
No specific network commands or tools are provided in the resources to detect this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the SportsPress plugin to a version later than 2.7.26 where this Local File Inclusion vulnerability is fixed.
If updating is not immediately possible, restrict contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with at least contributor permissions.
Additionally, consider disabling or removing the vulnerable shortcode usage involving the 'template_name' attribute until a patch or update is applied.
Monitor your system for any suspicious activity or unauthorized file inclusions that could indicate exploitation attempts.