Description
The Woocommerce Category and Products Accordion Panel plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0 via the 'categoryaccordionpanel' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Published: 2025-10-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion enabling execution of arbitrary PHP code
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the Category and Products Accordion Panel plugin for WordPress versions 1.0 and earlier, where the 'categoryaccordionpanel' shortcode can be manipulated to include local files containing PHP code. By exploiting this flaw, an attacker who can authenticate with a Contributor level or higher can gain the ability to execute arbitrary server-side code. The weakness is a Local File Inclusion flaw (CWE-98) that directly threatens confidentiality, integrity, and availability by allowing code injection, data exfiltration, or further foothold establishment.

Affected Systems

The affected product is the Woocommerce Category and Products Accordion Panel plugin for WordPress, version 1.0 and any earlier releases. Users who have installed this plugin and granted Contributor or higher roles to users are at risk. No other vendors or products are mentioned as affected.

Risk and Exploitability

The CVSS score of 7.5 reflects a medium to high severity. The EPSS score of less than 1% indicates a low probability of exploitation or limited evidence of real-world attacks, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the WordPress shortcode interface, requiring the attacker to log in and add the malicious shortcode to a page or post. Once the Local File Inclusion succeeds, the attacker can execute arbitrary PHP code, potentially bypassing existing access controls and compromising the entire site.

Generated by OpenCVE AI on April 22, 2026 at 12:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to the latest version, which contains the fixed inclusion checks
  • If an upgrade is not immediately possible, remove or disable the categoryaccordionpanel shortcode from untrusted content
  • Limit Contributor and higher roles to only those who require them, and enforce strong upload permissions to prevent unauthorized PHP files from being added
  • Configure the web server to disable execution of PHP files in directories where uploads are stored, reducing the risk of file inclusion exploitation

Generated by OpenCVE AI on April 22, 2026 at 12:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 15 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Oct 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Woocommerce Category and Products Accordion Panel plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0 via the 'categoryaccordionpanel' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Title Category and Products Accordion Panel <= 1.0 - Authenticated (Contributor+) Local File Inclusion
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:26.861Z

Reserved: 2025-10-13T20:19:52.129Z

Link: CVE-2025-11722

cve-icon Vulnrichment

Updated: 2025-10-15T14:43:12.693Z

cve-icon NVD

Status : Deferred

Published: 2025-10-15T09:15:43.110

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11722

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:45:17Z

Weaknesses