Vulnerability Description
The Extensive VC Addons for WPBakery page builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.1 via the `extensive_vc_get_module_template_part` function. This is due to insufficient path normalization and validation of the user-supplied `shortcode_name` parameter in the `extensive_vc_init_shortcode_pagination` AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files via the `shortcode_name` parameter.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/extensive-vc-addon/tags/1.9.1/lib/hel
- https://plugins.trac.wordpress.org/browser/extensive-vc-addon/tags/1.9.1/shortco
- https://plugins.trac.wordpress.org/browser/extensive-vc-addon/tags/1.9.1/shortco
- https://plugins.trac.wordpress.org/browser/extensive-vc-addon/trunk/lib/helpers-
- https://plugins.trac.wordpress.org/browser/extensive-vc-addon/trunk/shortcodes/s
- https://plugins.trac.wordpress.org/browser/extensive-vc-addon/trunk/shortcodes/s
- https://www.wordfence.com/threat-intel/vulnerabilities/id/49711408-5d04-4fdd-a6c
FAQ
What is CVE-2025-14475?
CVE-2025-14475 is a vulnerability with a CVSS score of 8.1 (HIGH). The Extensive VC Addons for WPBakery page builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.1 via the `extensive_vc_get_module_template_part`...
How severe is CVE-2025-14475?
CVE-2025-14475 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-14475?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.