CVE-2025-14475
Published: 13 December 2025
Summary
CVE-2025-14475 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation and sanitization of the user-supplied shortcode_name parameter to block path traversal attacks enabling LFI and arbitrary PHP execution.
Requires timely identification, reporting, and patching of the LFI flaw in the Extensive VC Addons plugin versions up to 1.9.1 to prevent exploitation.
Enforces secure configuration settings for the web server and PHP, such as open_basedir restrictions, to limit file access paths exploitable via the LFI vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The LFI vulnerability in the WordPress plugin allows unauthenticated remote attackers to exploit a public-facing web application for arbitrary PHP file inclusion and execution, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
The Extensive VC Addons for WPBakery page builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.1 via the `extensive_vc_get_module_template_part` function. This is due to insufficient path normalization and validation of the…
more
user-supplied `shortcode_name` parameter in the `extensive_vc_init_shortcode_pagination` AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files via the `shortcode_name` parameter.
Deeper analysisAI
CVE-2025-14475 is a Local File Inclusion (LFI) vulnerability (CWE-98) affecting the Extensive VC Addons for WPBakery page builder plugin for WordPress in all versions up to and including 1.9.1. The issue stems from insufficient path normalization and validation of the user-supplied `shortcode_name` parameter in the `extensive_vc_init_shortcode_pagination` AJAX action, specifically within the `extensive_vc_get_module_template_part` function. This allows attackers to include and execute arbitrary PHP files on the server via the manipulated parameter.
Unauthenticated attackers can exploit this vulnerability over the network (AV:N) with high attack complexity (AC:H) and no user interaction required (UI:N), earning a CVSS v3.1 base score of 8.1 (C:H/I:H/A:H). By supplying a crafted `shortcode_name` value, they can force the inclusion of arbitrary PHP files, enabling the execution of any PHP code contained within those files and potentially leading to full server compromise, such as remote code execution.
References for CVE-2025-14475 link directly to the plugin's source code in the WordPress trac repository, highlighting vulnerable lines such as lib/helpers-functions.php#L78, shortcodes/shortcodes-functions.php#L122, and shortcodes/shortcodes-functions.php#L142 in tags/1.9.1 and trunk branches. No vendor advisories or patch details are provided in the available information.
Details
- CWE(s)