CVE-2025-12824
Published: 12 December 2025
Description
The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.2 via the 'player_leaderboard' shortcode. This is due to the plugin using an unsanitized user-supplied value from the shortcode's 'mode' attribute…
more
in a call to include() without proper path validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve full remote code execution if combined with file upload capabilities.
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-supplied inputs such as the 'mode' shortcode attribute prior to use in include() functions, directly preventing arbitrary local file inclusion.
Directly mandates identification, reporting, and correction of flaws like this LFI vulnerability in the Player Leaderboard plugin through patching.
Restricts systems to essential capabilities only, allowing disablement of unnecessary plugins like Player Leaderboard to eliminate the vulnerable shortcode.
Security SummaryAI
CVE-2025-12824 is a Local File Inclusion vulnerability (CWE-22) in the Player Leaderboard plugin for WordPress, affecting all versions up to and including 1.0.2. The flaw occurs in the 'player_leaderboard' shortcode, where an unsanitized user-supplied value from the 'mode' attribute is passed to an include() function without proper path validation, enabling the inclusion of arbitrary local files.
Authenticated attackers with Contributor-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows inclusion and execution of arbitrary PHP files on the server, potentially bypassing access controls, extracting sensitive data, or achieving remote code execution if paired with file upload features. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects its high impact on confidentiality, integrity, and availability.
Advisories reference the vulnerable code at line 1419 in public/class-player-leaderboard-public.php on the WordPress plugins trac (https://plugins.trac.wordpress.org/browser/player-leaderboard/trunk/public/class-player-leaderboard-public.php#L1419), a related changeset (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3416129%40player-leaderboard&new=3416129%40player-leaderboard), and Wordfence threat intelligence (https://www.wordfence.com/threat-intel/vulnerabilities/id/527f8f08-bab3-4319-99bf-845c8b378c19?source=cve), which detail the issue for mitigation assessment.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The LFI vulnerability in the WordPress plugin enables exploitation of a public-facing web application (T1190) via network-accessible shortcode manipulation, allowing authenticated low-privilege attackers to include and execute arbitrary local PHP files for remote code execution and extracting sensitive data from the local system (T1005).