Description
The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2026-01-14
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Apply Patch
AI Analysis

Impact

The Gotham Block Extra Light WordPress plugin contains an authenticated arbitrary file read flaw due to the unfettered 'ghostban' shortcode. With contributor-level access or higher, an attacker can request the shortcode to include the contents of any file on the server, potentially exposing sensitive data. This issue is categorized as CWE-22 and provides direct read access to files that are normally protected by the web server configuration.

Affected Systems

All installations of the Gotham Block Extra Light plugin with a version of 1.5.0 or earlier are affected. This includes any WordPress site that has added the plugin and granted contributor or administrator roles to users.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5, indicating a moderate level of severity. The EPSS score is below 1%, suggesting a low probability of exploitation, and the vulnerability is not listed in CISA's KEV catalog. However, the exploit requires only authenticated access with contributor privileges, a fairly common role on many sites, and the attack path is straightforward: a contributor can insert or visit a page that triggers the 'ghostban' shortcode, forcing the plugin to read and return any file path specified.

Generated by OpenCVE AI on April 20, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Gotham Block Extra Light to a version newer than 1.5.0 or uninstall the plugin
  • If an update is not possible, remove or disable the 'ghostban' shortcode functionality to block the read capability
  • Limit contributor-level access or review role capabilities so that only trusted users can use the shortcode

Generated by OpenCVE AI on April 20, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Wed, 14 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Gothamdev
Gothamdev gotham Block Extra Light
Wordpress
Wordpress wordpress
Vendors & Products Gothamdev
Gothamdev gotham Block Extra Light
Wordpress
Wordpress wordpress

Wed, 14 Jan 2026 05:45:00 +0000

Type Values Removed Values Added
Description The Gotham Block Extra Light plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.5.0 via the 'ghostban' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Title Gotham Block Extra Light <= 1.5.0 - Authenticated (Contributor+) Arbitrary File Read via 'ghostban' Shortcode
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Gothamdev Gotham Block Extra Light
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:16:16.207Z

Reserved: 2025-12-22T04:47:03.843Z

Link: CVE-2025-15020

cve-icon Vulnrichment

Updated: 2026-01-14T15:44:10.833Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T06:15:53.673

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-15020

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:15:20Z

Weaknesses