Description
The Custom Query Shortcode plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.4.0 via the 'lens' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of files on the server, which can contain sensitive information.
Published: 2025-08-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The Custom Query Shortcode plugin for WordPress contains a path traversal vulnerability in the 'lens' parameter of all releases up to 0.4.0. An attacker who can authenticate as a contributor or higher can supply a crafted lens value and cause the plugin to read arbitrary files from the server. Because the contents of those files may include configuration data, credentials or other sensitive information, the flaw results in an information disclosure that jeopardises confidentiality of the site.

Affected Systems

Any site running the Custom Query Shortcode plugin version 0.4.0 or earlier is vulnerable. The plugin is distributed under the name Custom Query Shortcode by developer Peter Hebert. Because the vulnerability is present in all pre‑0.4.0 releases, the entire set of WordPress installations that installed the plugin in those versions is at risk.

Risk and Exploitability

The flaw carries a CVSS score of 6.5 and an EPSS score of less than 1 %, indicating moderate severity but a very low probability of automated exploitation. The vulnerability requires authenticated access with at least contributor privileges, so an attacker must already have a valid account. Because the attack vector is via a WordPress shortcode parameter, exploitation is limited to contexts where the plugin is active; it is not a remote unprivileged exploit. The absence of a KEV listing means there are currently no publicly known exploits, although the method is straightforward once the vulnerability is known.

Generated by OpenCVE AI on April 21, 2026 at 03:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Custom Query Shortcode plugin to the latest version that removes the path traversal flaw. If an updated version is available, replace the vulnerable installation with it.
  • If an upgrade cannot be performed immediately, disable the 'lens' shortcode for all users with contributor or higher roles, or consider replacing the plugin with a trusted alternative that does not expose this parameter.
  • As a temporary protective measure, configure a web‑application firewall rule to block HTTP requests that contain suspicious path traversal tokens (such as ".." or "/") in the lens parameter, reducing the window for exploitation.
  • Review the site’s user role configuration to ensure that contributor accounts have no unnecessary access to plugin shortcodes or file‑reading capabilities.

Generated by OpenCVE AI on April 21, 2026 at 03:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28800 The Custom Query Shortcode plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.4.0 via the 'lens' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of files on the server, which can contain sensitive information.
History

Mon, 25 Aug 2025 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 25 Aug 2025 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 Aug 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Custom Query Shortcode plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.4.0 via the 'lens' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of files on the server, which can contain sensitive information.
Title Custom Query Shortcode <= 0.4.0 - Authenticated (Contributor+) Path Traversal via lens Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:44.067Z

Reserved: 2025-08-04T19:06:37.983Z

Link: CVE-2025-8562

cve-icon Vulnrichment

Updated: 2025-08-25T11:29:14.057Z

cve-icon NVD

Status : Deferred

Published: 2025-08-25T10:15:31.190

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T03:30:26Z

Weaknesses