CVE-2025-11722
📋 TL;DR
The WooCommerce Category and Products Accordion Panel WordPress plugin contains a Local File Inclusion vulnerability in all versions up to 1.0. Authenticated attackers with Contributor-level access or higher can include and execute arbitrary PHP files, potentially leading to remote code execution, data theft, or access control bypass.
💻 Affected Systems
- WooCommerce Category and Products Accordion Panel WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, data exfiltration, and persistent backdoor installation.
Likely Case
Unauthorized file access, privilege escalation, and limited code execution within the web server context.
If Mitigated
Limited impact if proper file upload restrictions and server hardening are in place.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
1. Immediately disable and remove the plugin. 2. Check for any unauthorized file uploads or modifications. 3. Monitor for suspicious activity.
🔧 Temporary Workarounds
Remove vulnerable plugin
allCompletely remove the vulnerable plugin from WordPress installation
wp plugin deactivate accordion-panel-for-category-and-products
wp plugin delete accordion-panel-for-category-and-products
Restrict user roles
allTemporarily restrict or review Contributor-level user accounts
🧯 If You Can't Patch
- Implement strict file upload restrictions and disable PHP execution in upload directories
- Add web application firewall rules to block Local File Inclusion patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel for plugin version 1.0 or earlier of 'WooCommerce Category and Products Accordion Panel'Check Version:
wp plugin get accordion-panel-for-category-and-products --field=versionVerify Fix Applied:
Confirm plugin is completely removed from wp-content/plugins directory📡 Detection & Monitoring
Log Indicators:
- Unusual file inclusion patterns in web server logs
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- HTTP requests containing 'categoryaccordionpanel' shortcode with file path parameters
SIEM Query:
web_access_logs WHERE uri CONTAINS 'categoryaccordionpanel' AND (uri CONTAINS '../' OR uri CONTAINS 'php://' OR uri CONTAINS '/etc/')🔗 References
- https://plugins.trac.wordpress.org/browser/accordion-panel-for-category-and-products/tags/1.0/include/abstract.php#L256
- https://plugins.trac.wordpress.org/browser/accordion-panel-for-category-and-products/tags/1.0/include/categoryaccordionpanel.php#L87
- https://www.wordfence.com/threat-intel/vulnerabilities/id/55315ba1-cbb8-4ce1-96c6-30a02611ba47?source=cve
