CVE-2025-15368

8.8 HIGH
Remote Code Execution

📋 TL;DR

The SportsPress WordPress plugin has a Local File Inclusion vulnerability in all versions up to 2.7.26. Authenticated attackers with contributor-level permissions or higher can exploit this to include and execute arbitrary PHP files on the server, potentially leading to remote code execution. This affects all WordPress sites using vulnerable versions of the SportsPress plugin.

💻 Affected Systems

Products:
  • WordPress SportsPress plugin
Versions: All versions up to and including 2.7.26
Operating Systems: All operating systems running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user with at least contributor-level permissions. PHP must be enabled on the server.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through remote code execution, data exfiltration, backdoor installation, and complete site takeover.

🟠

Likely Case

Unauthorized file access, sensitive data disclosure, privilege escalation, and limited code execution within the web server context.

🟢

If Mitigated

Limited impact if proper file upload restrictions and server hardening are in place, but still allows file inclusion.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires contributor-level access. The vulnerability is in shortcode handling and can be triggered via crafted posts/pages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.27 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3208281%40sportspress%2Ftrunk&old=3208279%40sportspress%2Ftrunk

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find SportsPress plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.7.27+ from WordPress.org and manually update.

🔧 Temporary Workarounds

Disable vulnerable shortcode

all

Remove or disable the affected shortcode functionality

Edit wp-config.php and add: define('DISALLOW_FILE_EDIT', true);
Remove shortcode registration from plugin files

Restrict file uploads

linux

Prevent PHP file uploads to limit exploitation vectors

Add to .htaccess: <Files *.php> deny from all </Files>
Configure web server to block PHP execution in upload directories

🧯 If You Can't Patch

  • Remove contributor and higher role access from untrusted users
  • Implement web application firewall rules to block file inclusion patterns

🔍 How to Verify

Check if Vulnerable:

Check SportsPress plugin version in WordPress admin under Plugins > Installed Plugins

Check Version:

wp plugin list --name=sportspress --field=version (if WP-CLI installed)

Verify Fix Applied:

Confirm plugin version is 2.7.27 or higher and test shortcode functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual file include attempts in web server logs
  • POST requests with template_name parameter containing path traversal sequences
  • PHP error logs showing file inclusion errors

Network Indicators:

  • HTTP requests with ../ sequences in parameters
  • Requests to SportsPress shortcode endpoints with unusual file paths

SIEM Query:

source="web_logs" AND (uri="*sportspress*" AND (param="*template_name*" AND value="*../*"))

📊 Metadata

CVE ID: CVE-2025-15368
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-98
Published: February 4, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This