CVE-2025-15368
Unknown Unknown - Not Provided
Local File Inclusion in SportsPress Plugin Allows Code Execution

Publication date: 2026-02-04

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15368
EUVD
EUVD-2025-206819
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp_sportspress sportspress to 2.7.26 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The SportsPress plugin for WordPress, in all versions up to and including 2.7.26, is vulnerable to a Local File Inclusion (LFI) attack via the 'template_name' attribute in its shortcodes.

This vulnerability allows authenticated users with contributor-level or higher permissions to include and execute arbitrary files on the server.

By exploiting this, attackers can execute any PHP code contained in those files, potentially bypassing access controls and gaining unauthorized capabilities.

Impact Analysis

This vulnerability can have severe impacts including:

  • Bypassing access controls, allowing attackers to perform actions beyond their intended permissions.
  • Obtaining sensitive data stored on the server.
  • Executing arbitrary PHP code on the server, which can lead to full compromise of the WordPress site and potentially the underlying server.

Since the vulnerability requires contributor-level or higher permissions, any user with such access can exploit it.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves Local File Inclusion via the 'template_name' attribute in shortcodes of the SportsPress WordPress plugin up to version 2.7.26. Detection would involve identifying usage of these shortcodes with suspicious or unexpected 'template_name' values that could lead to file inclusion.

Since the vulnerability requires authenticated users with contributor-level or higher permissions to exploit, detection can focus on monitoring shortcode usage in posts or pages, especially those containing the 'template_name' attribute.

There is no explicit detection command or signature provided in the available resources. However, you can search your WordPress database for posts or content containing the shortcode with the 'template_name' attribute, for example by running a SQL query like:

  • SELECT * FROM wp_posts WHERE post_content LIKE '%template_name=%';

Additionally, monitoring web server logs for requests that include shortcode parameters or unusual file inclusion attempts may help detect exploitation attempts.

No specific network commands or tools are provided in the resources to detect this vulnerability.

Mitigation Strategies

The immediate mitigation step is to update the SportsPress plugin to a version later than 2.7.26 where this Local File Inclusion vulnerability is fixed.

If updating is not immediately possible, restrict contributor-level and higher user permissions to trusted users only, as the vulnerability requires authenticated users with at least contributor permissions.

Additionally, consider disabling or removing the vulnerable shortcode usage involving the 'template_name' attribute until a patch or update is applied.

Monitor your system for any suspicious activity or unauthorized file inclusions that could indicate exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15368. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart