Login Sign Up

CVE-2025-14475

8.1 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code on WordPress sites using the Extensive VC Addons plugin. Attackers can include and execute local PHP files via the plugin's AJAX functionality. All WordPress sites with this plugin installed up to version 1.9.1 are affected.

💻 Affected Systems

Products:
  • Extensive VC Addons for WPBakery page builder plugin for WordPress
Versions: All versions up to and including 1.9.1
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress with WPBakery page builder and the Extensive VC Addons plugin installed.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, ransomware deployment, or website defacement via arbitrary PHP code execution.

🟠

Likely Case

Website takeover, backdoor installation, credential harvesting, or malware distribution.

🟢

If Mitigated

Limited impact if proper file permissions, web application firewalls, and intrusion detection systems are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is in an AJAX endpoint accessible without authentication, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.2 or later

Vendor Advisory: https://wordpress.org/plugins/extensive-vc-addon/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Extensive VC Addons' and click 'Update Now'. 4. Verify the plugin version is 1.9.2 or higher.

🔧 Temporary Workarounds

Disable the vulnerable plugin

all

Temporarily deactivate the Extensive VC Addons plugin until patched.

wp plugin deactivate extensive-vc-addon

Block vulnerable AJAX endpoint

linux

Use web application firewall or .htaccess to block access to the vulnerable AJAX action.

RewriteCond %{QUERY_STRING} action=extensive_vc_init_shortcode_pagination [NC]
RewriteRule ^ - [F]

🧯 If You Can't Patch

  • Implement strict file permissions on PHP files and disable PHP execution in upload directories.
  • Deploy a web application firewall (WAF) with rules to block local file inclusion attempts.

🔍 How to Verify

Check if Vulnerable:

Check if the Extensive VC Addons plugin is installed and its version is 1.9.1 or lower in WordPress admin panel.

Check Version:

wp plugin get extensive-vc-addon --field=version

Verify Fix Applied:

Verify the plugin version is 1.9.2 or higher after updating.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests to /wp-admin/admin-ajax.php with action=extensive_vc_init_shortcode_pagination and suspicious shortcode_name parameters
  • Unusual file inclusion attempts in web server logs

Network Indicators:

  • POST requests to admin-ajax.php with local file paths in parameters

SIEM Query:

source="web_server_logs" AND uri="/wp-admin/admin-ajax.php" AND query="*action=extensive_vc_init_shortcode_pagination*" AND (query="*shortcode_name=*" OR query="*..*" OR query="*php*" OR query="*include*" OR query="*require*")

📊 Metadata

CVE ID: CVE-2025-14475
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-98
EPSS Score: 0.08% exploit probability (23.3th percentile)
Published: December 13, 2025
Last Updated: December 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14475, you might also want to check these:

CVE-2025-25174 10.0

This CVE describes a PHP Local File Inclusion vulnerability in the BeeTeam368 Extensions WordPress p...

Same vulnerability type (CWE-98)
CVE-2025-49994 9.8

This vulnerability allows attackers to include local files on the server through improper filename c...

Same vulnerability type (CWE-98)
CVE-2025-50003 9.8

This vulnerability allows attackers to include local PHP files through improper filename control in ...

Same vulnerability type (CWE-98)