Description
The LT Unleashed plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.1 via the 'template' parameter in the `book` shortcode due to insufficient path sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where files such as wp-config.php can be included.
Published: 2025-12-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary PHP code execution
Action: Patch immediately
AI Analysis

Impact

The LT Unleashed WordPress plugin is vulnerable to Local File Inclusion through the 'template' parameter in the 'book' shortcode when its value is not properly sanitized. The flaw allows authenticated users with Contributor-level access or higher to specify file paths that the plugin will include and execute as PHP code. If an attacker includes sensitive files such as wp-config.php, they can obtain credentials and gain broader control over the site. This vulnerability is classified as CWE‑98. The CVSS score of 7.5 indicates high severity, and the EPSS score of less than 1% reflects a low probability of widespread exploitation at present, but it still represents a serious risk to the affected installations.

Affected Systems

LT Unleashed plugin for WordPress, versions up to and including 1.1.1

Risk and Exploitability

The vulnerability requires valid contributor or higher credentials to exploit, which limits the attacker’s ability to reach the system unimpeded. Once authenticated, an attacker can craft a shortcode containing a malicious path in the 'template' parameter, forcing the plugin to include arbitrary files and execute them as PHP. The high CVSS score signals significant impact on confidentiality, integrity, and availability. Because EPSS is below 1% and the vulnerability is not listed in CISA’s KEV catalog, it is currently considered a low likelihood of exploitation, yet the potential for code execution warrants urgent attention.

Generated by OpenCVE AI on April 21, 2026 at 00:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LT Unleashed plugin to version 1.1.2 or later, which removes the insecure 'template' handling.
  • If an upgrade cannot be performed immediately, revoke Contributor or higher roles from users who do not require them, or enforce the principle of least privilege for the plugin’s access controls.
  • As an interim workaround, edit the plugin’s shortcode handling or set server restrictions (e.g., disable the 'template' parameter) to prevent inclusion of arbitrary files until the official patch is applied.
  • Monitor the site for unauthorized file inclusion attempts and review HTTP logs for suspicious 'template' parameter usage.

Generated by OpenCVE AI on April 21, 2026 at 00:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 02:30:00 +0000

Type Values Removed Values Added
Description The LT Unleashed plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.1 via the 'template' parameter in the `book` shortcode due to insufficient path sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where files such as wp-config.php can be included.
Title LT Unleashed <= 1.1.1 - Authenticated (Contributor+) Local File Inclusion via 'template' Parameter
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:19.639Z

Reserved: 2025-12-02T14:39:54.615Z

Link: CVE-2025-13886

cve-icon Vulnrichment

Updated: 2025-12-15T18:09:14.227Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T03:15:52.287

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13886

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:00:12Z

Weaknesses