CRITICAL🇵🇱 Wersja polska

CVE-2025-14502

CVSS 9.8v3.1pub. 2026-01-14upd. 2026-04-15

The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

🤖 AI Analysis
How it works

The vulnerability results from improper handling of the 'template' parameter in the plugin's AJAX module (class-nbdb-ajax.php file), which without appropriate validation allows specifying any .php file on the server. An attacker can remotely make a request pointing to a PHP file of their choice, which will then be loaded and executed by the server. In a scenario where an attacker can previously upload their own .php file to the server (e.g., through another functionality), full Remote Code Execution is possible. The vulnerability is classified as CWE-98 (improper control of filename for include/require statement).

Impact

An unauthenticated attacker can execute arbitrary PHP code on the server, bypass access control mechanisms, gain access to sensitive data, or take complete control of the server hosting the WordPress website.

Mitigation & patch

The 'News and Blog Designer Bundle' plugin should be updated immediately to a version higher than 1.1. If an update is not yet available, the plugin should be deactivated or removed, and PHP file uploads to the server should be restricted. Detailed information is available in the vendor references and Wordfence database.

Who is affected

WordPress plugin 'News and Blog Designer Bundle' in all versions up to and including 1.1.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth Bypass
CWE
References