Description
The Age Gate plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 3.5.3 via the 'lang' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Published: 2025-03-20
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Local PHP File Inclusion leading to arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

The Age Gate plugin for WordPress contains a flaw that allows an unauthenticated attacker to include and execute arbitrary PHP files through the 'lang' parameter. This vulnerability falls under CWE‑22 and can be used to bypass access controls, exfiltrate sensitive data, or to achieve code execution when the attacker can place files such as images in upload directories that are later included.

Affected Systems

WordPress sites running the philsbury Age Gate plugin, versions up to and including 3.5.3 are affected. Any installation of these vulnerable plugin versions is at risk.

Risk and Exploitability

The CVSS score of 9.8 indicates a severe potential impact if exploited, but the EPSS score of < 1% suggests a very low probability of exploitation in the wild. This does not eliminate the risk, as the flaw can still be leveraged by attackers who manage to place a PHP file into a directory that the plugin includes via the 'lang' parameter. The public references show that an attacker can construct an HTTP request referencing a local PHP file, for example by uploading a file disguised as an image and later causing the plugin to include it.

Generated by OpenCVE AI on April 29, 2026 at 02:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress Age Gate plugin to version 3.5.4 or later, or any release that removes the local file inclusion flaw.
  • If an upgrade cannot be performed immediately, disable or remove the 'lang' parameter from the plugin’s request handling, or otherwise restrict the plugin’s ability to include files from the web root.
  • Configure file upload permissions and directory access controls so that only allowable file types are accepted and stored outside of directories that can be included by the plugin.

Generated by OpenCVE AI on April 29, 2026 at 02:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6740 The Age Gate plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 3.5.3 via the 'lang' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
History

Thu, 20 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 20 Mar 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Age Gate plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 3.5.3 via the 'lang' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Title Age Gate <= 3.5.3 - Unauthenticated Local PHP File Inclusion via 'lang'
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:25.280Z

Reserved: 2025-03-18T17:08:25.933Z

Link: CVE-2025-2505

cve-icon Vulnrichment

Updated: 2025-03-20T14:51:20.387Z

cve-icon NVD

Status : Deferred

Published: 2025-03-20T08:15:11.873

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2505

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:15:47Z

Weaknesses