Description
The Premium Age Verification / Restriction for WordPress plugin for WordPress is vulnerable to arbitrary file read and write due to the existence of an insufficiently protected remote support functionality in remote_tunnel.php in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to read from or write to arbitrary files on the affected site's server which may make the exposure of sensitive information or remote code execution possible.
Published: 2025-07-11
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Arbitrary File Read/Write leading to potential remote code execution
Action: Patch Immediately
AI Analysis

Impact

The Premium Age Verification / Restriction for WordPress plugin exposes a remote support endpoint that is insufficiently protected. An unauthenticated attacker can send crafted requests to remote_tunnel.php and supply arbitrary file paths, allowing them to read or overwrite any file on the server. This vulnerability can expose sensitive data or enable the attacker to execute malicious code on the web host, compromising confidentiality, integrity, and availability. The weakness is identified as CWE‑798, indicating insecure handling of credentials or access control.

Affected Systems

Any WordPress site that has installed the Premium Age Verification / Restriction for WordPress plugin by aa-team, for any version up to and including 3.0.2. No specific WordPress core versions are indicated, so the risk applies to all installations that rely on this plugin within the stated version range.

Risk and Exploitability

The CVSS score of 9.8 classifies this flaw as critical, while the EPSS score of less than 1% suggests low current exploitation likelihood, yet attackers could still target the flaw whenever the plugin is found online. The vulnerability is not listed in the CISA KEV catalog, but the high severity and scope of the vulnerability warrant immediate remediation. It can be exploited by sending arbitrary HTTP requests to the exposed endpoint without authentication, making the attack vector straightforward for adversaries with basic web mapping tools.

Generated by OpenCVE AI on April 20, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Premium Age Verification / Restriction for WordPress plugin to the latest released version or remove the plugin if it is no longer required.
  • Reconfigure the web server or use .htaccess to block remote access to remote_tunnel.php or require authentication before it can be invoked.
  • Configure a web application firewall or similar input filtering to reject requests that contain directory traversal patterns (e.g., "../"), thereby preventing arbitrary file read or write.

Generated by OpenCVE AI on April 20, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21108 The Premium Age Verification / Restriction for WordPress plugin for WordPress is vulnerable to arbitrary file read and write due to the existence of an insufficiently protected remote support functionality in remote_tunnel.php in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to read from or write to arbitrary files on the affected site's server which may make the exposure of sensitive information or remote code execution possible.
History

Fri, 11 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00192}

Fri, 11 Jul 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Premium Age Verification / Restriction for WordPress plugin for WordPress is vulnerable to arbitrary file read and write due to the existence of an insufficiently protected remote support functionality in remote_tunnel.php in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to read from or write to arbitrary files on the affected site's server which may make the exposure of sensitive information or remote code execution possible.
Title Premium Age Verification / Restriction for WordPress <= 3.0.2 - Unauthenticated Arbitrary File Read and Write via remote_tunnel.php
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:43.755Z

Reserved: 2025-07-09T22:59:16.298Z

Link: CVE-2025-7401

cve-icon Vulnrichment

Updated: 2025-07-11T13:23:35.256Z

cve-icon NVD

Status : Deferred

Published: 2025-07-11T05:15:30.987

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7401

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:30:16Z

Weaknesses