Description
The Elegance Menu plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the 'elegance-menu' attribute of the `elegance-menu` shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Published: 2025-11-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion enabling PHP code execution
Action: Apply Patch
AI Analysis

Impact

The Elegance Menu plugin for WordPress contains a flaw in the handling of the 'elegance-menu' attribute of its shortcode. The bug, classified as CWE-98, allows an authenticated user with Contributor privilege or higher to cause the plugin to include arbitrary files present on the server. When a .php file is included, its contents are executed, effectively granting code execution on the WordPress installation. This can lead to privilege escalation, data theft, and full compromise of the site where the plugin is installed.

Affected Systems

ImpactTechLab’s Elegance Menu plugin, any WordPress installation using versions 1.9 or earlier. No additional version details are provided beyond the latest vulnerable release, 1.9.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk. The EPSS score of less than 1% shows that, as of the data collection, exploitation activity is rare, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the attack requires only Contributor-level access, which many sites grant to content editors, making the risk tangible. An attacker can upload a malicious PHP file and then trigger the LFI via the short‑code attribute, obtaining remote code execution on the web server.

Generated by OpenCVE AI on April 22, 2026 at 12:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Elegance Menu plugin to a version newer than 1.9, if one is available, to patch the LFI flaw.
  • If a patched version is not available, consider disabling or uninstalling the plugin from the WordPress installation until an update is released.
  • Restrict Contributor users from using the 'elegance-menu' shortcode or uploading PHP files; reassign them to lower‑privilege roles such as Author, or apply a role‑based access control plugin to block this capability.

Generated by OpenCVE AI on April 22, 2026 at 12:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 04 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Elegance Menu plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the 'elegance-menu' attribute of the `elegance-menu` shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Title Elegance Menu <= 1.9 - Authenticated (Contributor+) Local File Inclusion
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:30.173Z

Reserved: 2025-10-13T19:10:53.316Z

Link: CVE-2025-11704

cve-icon Vulnrichment

Updated: 2025-11-04T15:51:50.400Z

cve-icon NVD

Status : Deferred

Published: 2025-11-04T05:15:53.957

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11704

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:00:09Z

Weaknesses