CVE-2025-14475 - Vulnerability Details

- Extensive VC Addons for WPBakery page builder <= 1.9.1 - Unauthenticated Local File Inclusion via 'shortcode_name' Parameter

Description

The Extensive VC Addons for WPBakery page builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.1 via the `extensive_vc_get_module_template_part` function. This is due to insufficient path normalization and validation of the user-supplied `shortcode_name` parameter in the `extensive_vc_init_shortcode_pagination` AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files via the `shortcode_name` parameter.

Published: 2025-12-13

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Vulnerable plugin performs a local file inclusion without normalizing the user-supplied "shortcode_name" argument in an AJAX action, allowing an unauthenticated attacker to include and execute arbitrary PHP files present on the server. This capability turns the plugin into a conduit for arbitrary code execution, effectively giving the attacker full control over the affected WordPress installation. The weakness is identified as CWE-98.

Affected Systems

All installations of the Extensive VC Addons for WPBakery page builder plugin up to and including version 1.9.1 are impacted. The vulnerability exists in the plugin code that runs within the WordPress environment and is triggered via standard plugin URLs accessed by any visitor.

Risk and Exploitability

The CVSS score of 8.1 reflects high severity, while the EPSS score of less than 1 percent indicates low exploitation probability as of the time of analysis. The defect is not listed in the CISA KEV catalog. The primary attack vector is the publicly available AJAX endpoint "extensive_vc_init_shortcode_pagination", which an attacker can call without authentication, supply a crafted "shortcode_name" value, and thereby include malicious server-side files. Only a component with file system write access or an attacker already able to place files on the web root would be fully exploited, but the LFI flaw itself allows arbitrary code execution if such files exist.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nenad-obradovic

Extensive VC Addons for WPBakery page builder

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.9.1

No data.

Vendor	Product	Confidence	Versions
Nenad-obradovic	Extensive Vc Addons For Wpbakery Page Builder	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Extensive VC Addons for WPBakery page builder plugin to the latest available version, which removes the LFI flaw.
If upgrading is not immediately possible, disable or restrict access to the "extensive_vc_init_shortcode_pagination" AJAX action through WordPress settings or by removing the Shortcode feature from the plugin configuration.
Apply network or web server rules (e.g., .htaccess, firewall) to block unauthenticated access to the plugin’s AJAX endpoint, preventing exploitation until a patch is deployed.

Generated by OpenCVE AI on April 21, 2026 at 17:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00105.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://plugins.trac.wordpress.org/browser/extensive-vc-addon/tags/1.9.1/lib/helpers-functions.php#L78
https://plugins.trac.wordpress.org/browser/extensive-vc-addon/tags/1.9.1/shortcodes/shortcodes-functions.php#L122
https://plugins.trac.wordpress.org/browser/extensive-vc-addon/tags/1.9.1/shortcodes/shortcodes-functions.php#L142
https://plugins.trac.wordpress.org/browser/extensive-vc-addon/trunk/lib/helpers-functions.php#L78
https://plugins.trac.wordpress.org/browser/extensive-vc-addon/trunk/shortcodes/shortcodes-functions.php#L122
https://plugins.trac.wordpress.org/browser/extensive-vc-addon/trunk/shortcodes/shortcodes-functions.php#L142
https://www.wordfence.com/threat-intel/vulnerabilities/id/49711408-5d04-4fdd-a6c4-b224959ba1bc?source=cve

History

Mon, 15 Dec 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Sun, 14 Dec 2025 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nenad-obradovic Nenad-obradovic extensive Vc Addons For Wpbakery Page Builder Wordpress Wordpress wordpress
Vendors & Products		Nenad-obradovic Nenad-obradovic extensive Vc Addons For Wpbakery Page Builder Wordpress Wordpress wordpress

Sat, 13 Dec 2025 04:45:00 +0000

Type	Values Removed	Values Added
Description		The Extensive VC Addons for WPBakery page builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.1 via the `extensive_vc_get_module_template_part` function. This is due to insufficient path normalization and validation of the user-supplied `shortcode_name` parameter in the `extensive_vc_init_shortcode_pagination` AJAX action. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files via the `shortcode_name` parameter.
Title		Extensive VC Addons for WPBakery page builder <= 1.9.1 - Unauthenticated Local File Inclusion via 'shortcode_name' Parameter
Weaknesses		CWE-98
References		https://plugins.trac.wordpress.org/browser/extensive-vc-addon/tags/1.9.1/lib/helpers-functions.php#L78 https://plugins.trac.wordpress.org/browser/extensive-vc-addon/tags/1.9.1/shortcodes/shortcodes-functions.php#L122 https://plugins.trac.wordpress.org/browser/extensive-vc-addon/tags/1.9.1/shortcodes/shortcodes-functions.php#L142 https://plugins.trac.wordpress.org/browser/extensive-vc-addon/trunk/lib/helpers-functions.php#L78 https://plugins.trac.wordpress.org/browser/extensive-vc-addon/trunk/shortcodes/shortcodes-functions.php#L122 https://plugins.trac.wordpress.org/browser/extensive-vc-addon/trunk/shortcodes/shortcodes-functions.php#L142 https://www.wordfence.com/threat-intel/vulnerabilities/id/49711408-5d04-4fdd-a6c4-b224959ba1bc?source=cve
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Nenad-obradovic Extensive Vc Addons For Wpbakery Page Builder

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-12-13T04:31:24.522Z

Updated: 2026-04-08T16:50:29.974Z

Reserved: 2025-12-10T18:24:03.085Z

Link: CVE-2025-14475

Vulnrichment

Updated: 2025-12-15T15:21:15.914Z

NVD

Status : Deferred

Published: 2025-12-13T16:16:50.477

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14475

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T17:30:37Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object