Description
The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. This is due to the plugin not restricting what functions can be called. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server which is limited to arbitrary functions without any user supplied parameters.
Published: 2025-08-15
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Inpersttion For Theme plugin for WordPress contains a flaw in the theme_section_shortcode() routine that fails to limit the functions an authenticated user can invoke. The flaw allows a logged‑in Contributor or higher to request any PHP function that the server can call, potentially without parameters, giving full code execution capability on the host. The vulnerability is recorded with a CVSS score of 6.3, indicating moderate severity for the affected platform.

Affected Systems

WordPress installations that include the Inpersttion For Theme plugin, versions 1.0 and earlier. The plugin is distributed under the vendor identifier inpersttion:Inpersttion For Theme. Any site running these versions and permitting Contributor‑level accounts is vulnerable.

Risk and Exploitability

The CVSS score of 6.3 reflects the potential impact of remote code execution once an attacker gains sufficient privileges. The EPSS score of less than 1% indicates the likelihood of exploitation is very low at present, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a valid Contributor account or higher on the target WordPress site; attackers do not need to bypass authentication. Once authenticated, the attacker can trigger the flaw by invoking the shortcode, leading to code execution without any supplied parameters.

Generated by OpenCVE AI on April 20, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Inpersttion For Theme plugin to the most recent release that removes the arbitrary function call vulnerability, or uninstall the plugin if it is no longer needed.
  • If an update is unavailable, modify the plugin’s theme_section_shortcode function to restrict callable functions or disable the shortcode entirely via a custom plugin or functions.php tweak.
  • Revoke Contributor or higher‑privileged accounts from users who do not require them, ensuring only trusted administrators retain the ability to use the shortcode on the site.

Generated by OpenCVE AI on April 20, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24997 The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. This is due to the plugin not restricting what functions can be called. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server which is limited to arbitrary functions without any user supplied parameters.
History

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 15 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 Aug 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. This is due to the plugin not restricting what functions can be called. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server which is limited to arbitrary functions without any user supplied parameters.
Title Inpersttion For Theme <= 1.0 - Authenticated (Contributor+) Arbitrary Function Call
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:03.908Z

Reserved: 2025-08-12T19:54:09.748Z

Link: CVE-2025-8905

cve-icon Vulnrichment

Updated: 2025-08-15T16:07:43.274Z

cve-icon NVD

Status : Deferred

Published: 2025-08-15T09:15:31.520

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8905

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:00:10Z

Weaknesses