CVE-2025-11746
Published: 15 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-11746 is a Local File Inclusion vulnerability (CWE-22) in the XStore theme for WordPress, affecting all versions up to and including 9.5.4. The flaw exists in the et_ajax_required_plugins_popup() function, which enables the inclusion and execution of arbitrary .php files on the server. Published on 2025-10-15, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for confidentiality, integrity, and availability impacts.
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction. Exploitation allows them to include and execute PHP code from arbitrary .php files, enabling bypass of access controls, retrieval of sensitive data, or full remote code execution in scenarios where .php files are uploadable and subsequently included.
Mitigation guidance is available in advisories from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/2a49db7f-62fc-472d-9edf-de5edbe48219?source=cve and the XStore theme's update history at https://xstore.8theme.com/update-history/.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE-2025-11746 is a local file inclusion vulnerability in a public-facing WordPress application, enabling remote code execution for authenticated low-privilege users, directly mapping to T1190: Exploit Public-Facing Application.